Jump to content

SPNEGO

Add links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dleonard (talk | contribs) at 03:28, 1 October 2007 (Provide some context; use simpler language and include the practical rationale.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. It is sometimes pronounced or spelled "spengo".

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

SPNEGO is a standard GSSAPI pseudo-mechanism. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in Mozilla 1.7 beta, Mozilla Firefox 0.9, and Konqueror 3.3.1.

History of the SPNEGO standard

  1. 19 February, 1996 - Eric Baize and Denis Pinkas publish the internet draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
  2. 17 October, 1996 - The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
  3. 25 March, 1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
  4. 22 April, 1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
  5. 16 May, 1997 - Context flags are added (delegation, mutual auth, etc.). Defences are provided against attacks on the new "preferred" mechanism.
  6. 22 July, 1997 - More context flags are added (integrity and confidentiality).
  7. 18 November, 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
  8. 4 March, 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
  • Final December 1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
  • October 2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

References

  • "Internet Drafts of RFC 2478". All (Current & Expired) Internet Drafts Collection - Drafts. Retrieved May 28. {{cite web}}: Check date values in: |accessdate= (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
  • Mozilla bug 17578: I want Kerberos authentication and TGT forwarding
  • "HTTP-Based Cross-Platform Authentication via the Negotiate Protocol". Microsoft Developer Network (MSDN) library. Retrieved May 28. {{cite web}}: Check date values in: |accessdate= (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
  • "Konqueror has SPNEGO support". Apache and Kerberos tutorial. Retrieved May 30. {{cite web}}: Check date values in: |accessdate= (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
  • "using mod_auth_kerb and Windows 2000/2003 as KDC". Tutorial. Retrieved Dec 02. {{cite web}}: Check date values in: |accessdate= (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
Stub icon

This computer networking article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=SPNEGO&oldid=161460282"