- SPNEGO
SPNEGO (Simple and Protected
GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms. It is sometimes pronounced or spelled "spengo".SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
SPNEGO's most visible use is in
Microsoft 's "HTTP Negotiate"authentication extension. It was first implemented inInternet Explorer 5.01 and IIS 5.0 and providedsingle sign-on capability later marketed as "Integrated Windows Authentication ". The negotiable sub-mechanisms includedNTLM and Kerberos, both used inActive Directory .The HTTP Negotiate extension was later implemented with similar support in:
*Mozilla 1.7 beta,
*Mozilla Firefox 0.9, and
*Konqueror 3.3.1.History of the SPNEGO standard
#
19 February ,1996 - Eric Baize and Denis Pinkas publish theinternet draft "Simple GSS-API Negotiation Mechanism" (draft-ietf-cat-snego-01.txt).
#17 October ,1996 - The mechanism is assigned theobject identifier "1.3.6.1.5.5.2" and is abbreviated snego.
#25 March ,1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
#22 April ,1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
#16 May ,1997 - Context flags are added (delegation, mutual auth, etc.). Defences are provided against attacks on the new "preferred" mechanism.
#22 July ,1997 - More context flags are added (integrity and confidentiality).
#18 November ,1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
#4 March ,1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
* Final December1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
* October2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.External links
* RFC 4178 "The Simple and Protected GSS-API Negotiation Mechanism" (obsoletes RFC 2478).
* RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows"
* [http://msdn2.microsoft.com/en-us/library/ms995330.aspx Microsoft technical article on SPNEGO tokens]
* [http://www.centrify.com/downloads/products/documentation/version300/centrify_dc_apache.pdf Guide to using SPNEGO with Apache]
* [http://www.mozilla.org/projects/netlib/integrated-auth.html SPNEGO support in Mozilla]
* [http://www.quest.com/technology-glossary/spnego.aspx Quest's description of SPNEGO]
* [http://rc.vintela.com/topics/apache/mod_auth_vas/ COMMERCIAL Apache module for supporting SPNEGO]
* [http://modauthkerb.sourceforge.net/ mod_auth_kerb Apache module supporting SPNEGO]
* [http://potaroo.net/ietf/idref/draft-brezak-spnego-http/ Earlier drafts of draft-brezak-spnego-http-05.txt, since -05 is no longer available.]
* [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp Microsoft article on authorization data present in Kerberos tickets (PAC)]
* [http://appliedcrypto.com/spnegoarticles.do SPNEGO and SSO articles]
* [http://www.it-practice.dk/en/4/products/40/ COMMERCIAL SPNEGO for Tomcat, JBoss, WebSphere...]
* [http://www.matrix.org.cn/blog/cas] Security Site for Windows Integration Authentication with SSO
* [http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html Support for SPNEGO in Java GSS with Java 6.]
* [http://dev.taglab.com/sites/taglab-public/support/spnego.html Open source Java Spnego library by Taglab.]
* [http://www.ioplex.com/plexcel.html COMMERCIAL Plexcel - PHP Active Directory Integration]
* [http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065 WebSphere with a side of SPNEGO]References
*
* [https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding]
*
*
*
Wikimedia Foundation. 2010.
