Login
Login

SPNEGO

{{Short description|Security protocol used with GSSAPI}}

{{Use dmy dates|date=November 2022}}

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. The HTTP Negotiate extension was later implemented with similar support in:

  • Mozilla 1.7 beta[https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding]
  • Mozilla Firefox 0.9
  • Konqueror 3.3.1{{cite web | url=http://article.gmane.org/gmane.comp.kde.devel.kfm/6300 | title=Konqueror has SPNEGO support | work=Apache and Kerberos tutorial | access-date=30 May 2005 | url-status=live | archive-url=https://web.archive.org/web/20050419055107/http://article.gmane.org/gmane.comp.kde.devel.kfm/6300 | archive-date=19 April 2005 }}
  • Google Chrome 6.0.472{{cite web | url=http://code.google.com/p/chromium/issues/detail?id=28282 | title=Support for SPNEGO authentication | work=Google Chrome Enhancement Request | access-date=20 November 2010 | url-status=live | archive-url=https://web.archive.org/web/20121111061907/http://code.google.com/p/chromium/issues/detail?id=28282 | archive-date=11 November 2012 }}

History

  • 19 February 1996 – Eric Baize and Denis Pinkas publish the Internet Draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
  • 17 October 1996 – The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
  • 25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
  • 22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
  • 16 May 1997 – Context flags are added (delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism.
  • 22 July 1997 – More context flags are added (integrity and confidentiality).
  • 18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
  • 4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
  • December 1998 (Final) – DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
  • October 2005 – Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

Notes

{{Reflist}}

References

  • {{cite web | title=Internet Drafts of RFC 4178 | work=All (Current & Expired) Internet Drafts Collection – Drafts | url=http://potaroo.net/ietf/idref/rfc4178/ | accessdate=23 August 2014}}
  • {{cite web | url=https://msdn.microsoft.com/en-us/library/ms995330.aspx | title=HTTP-Based Cross-Platform Authentication via the Negotiate Protocol | work=Microsoft Developer Network (MSDN) library | accessdate=8 October 2015}}
  • {{cite web | url= http://www.grolmsnet.de/kerbtut/| title=using mod_auth_kerb and Windows 2000/2003 as KDC | work=Tutorial | accessdate=2 December 2005}}

External links

  • {{IETF RFC|4178|link=no}} The Simple and Protected GSS-API Negotiation Mechanism (obsoletes {{IETF RFC|2478|link=no}}).
  • {{IETF RFC|4559|link=no}} SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

{{DEFAULTSORT:Spnego}}

Category:Cryptographic protocols

Category:Computer access control protocols