SPNEGO

SPNEGO

SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms. It is sometimes pronounced or spelled "spengo".

SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as "Integrated Windows Authentication". The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in:
* Mozilla 1.7 beta,
* Mozilla Firefox 0.9, and
* Konqueror 3.3.1.

History of the SPNEGO standard

# 19 February, 1996 - Eric Baize and Denis Pinkas publish the internet draft "Simple GSS-API Negotiation Mechanism" (draft-ietf-cat-snego-01.txt).
# 17 October, 1996 - The mechanism is assigned the object identifier "1.3.6.1.5.5.2" and is abbreviated snego.
# 25 March, 1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
# 22 April, 1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
# 16 May, 1997 - Context flags are added (delegation, mutual auth, etc.). Defences are provided against attacks on the new "preferred" mechanism.
# 22 July, 1997 - More context flags are added (integrity and confidentiality).
# 18 November, 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
# 4 March, 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
* Final December 1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
* October 2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.

External links

* RFC 4178 "The Simple and Protected GSS-API Negotiation Mechanism" (obsoletes RFC 2478).
* RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows"
* [http://msdn2.microsoft.com/en-us/library/ms995330.aspx Microsoft technical article on SPNEGO tokens]
* [http://www.centrify.com/downloads/products/documentation/version300/centrify_dc_apache.pdf Guide to using SPNEGO with Apache]
* [http://www.mozilla.org/projects/netlib/integrated-auth.html SPNEGO support in Mozilla]
* [http://www.quest.com/technology-glossary/spnego.aspx Quest's description of SPNEGO]
* [http://rc.vintela.com/topics/apache/mod_auth_vas/ COMMERCIAL Apache module for supporting SPNEGO]
* [http://modauthkerb.sourceforge.net/ mod_auth_kerb Apache module supporting SPNEGO]
* [http://potaroo.net/ietf/idref/draft-brezak-spnego-http/ Earlier drafts of draft-brezak-spnego-http-05.txt, since -05 is no longer available.]
* [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp Microsoft article on authorization data present in Kerberos tickets (PAC)]
* [http://appliedcrypto.com/spnegoarticles.do SPNEGO and SSO articles]
* [http://www.it-practice.dk/en/4/products/40/ COMMERCIAL SPNEGO for Tomcat, JBoss, WebSphere...]
* [http://www.matrix.org.cn/blog/cas] Security Site for Windows Integration Authentication with SSO
* [http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html Support for SPNEGO in Java GSS with Java 6.]
* [http://dev.taglab.com/sites/taglab-public/support/spnego.html Open source Java Spnego library by Taglab.]
* [http://www.ioplex.com/plexcel.html COMMERCIAL Plexcel - PHP Active Directory Integration]
* [http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065 WebSphere with a side of SPNEGO]

References

*
* [https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding]
*
*
*


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • IBM Lotus Notes — Lotus Notes Тип Groupware Разработчик IBM Lotus Software …   Википедия

  • Integrated Windows Authentication — (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT based… …   Wikipedia

  • Generic Security Services Application Program Interface — The Generic Security Services Application Program Interface (GSSAPI, also GSS API) is an application programming interface for programs to access security services.The GSSAPI is an IETF standard that addresses the problem of many similar but… …   Wikipedia

  • GSSAPI — Das Generic Security Services Application Program Interface (GSSAPI, auch GSS API) ist eine Programmierschnittstelle für Anwendungen, die auf Security Devices zugreifen. Die GSSAPI ist ein IETF Standard, der das Problem vieler verschiedener,… …   Deutsch Wikipedia

  • GSS-API — (GSS, GSSAPI, англ. Generic Security Services API, общий программный интерфейс сервисов безопасности)  API для доступа к сервисам безопасности. Описано в стандарте IETF. Предназначено для решения проблемы несовместимости схожих сервисов …   Википедия

  • Lotus Notes — Entwickler IBM Aktuelle Version 8.5.3 (Stand: 4. Oktober 2011) Betriebssystem Plattformunabhängig Kategorie Groupware Lizenz …   Deutsch Wikipedia

  • Kerberos — /kɛərbərəs/  сетевой протокол аутентификации, позволяющий передавать данные через незащищённые сети для безопасной идентификации. Ориентирован , в первую очередь , на клиент серверную модель и обеспечивает взаимную аутентификацию  оба… …   Википедия

  • IWA — Integrated Windows Authentication (IWA) est un protocole associé aux produits Microsoft. On peut le rapprocher des protocoles SPNEGO[1], Kerberos, et NTLM. Il respecte les fonctionnalités SSPI[2] introduites sous les systèmes d exploitation… …   Wikipédia en Français

  • Kerberos (protocol) — Kerberos is a computer network authentication protocol, which allows individuals communicating over a non secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts… …   Wikipedia

  • Windows 2000 — Part of the Microsoft Windows family Screenshot of Windows 2000 Professional …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”