Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
SPNEGO
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Security protocol used with GSSAPI}} {{Use dmy dates|date=November 2022}} '''Simple and Protected GSSAPI Negotiation Mechanism''' ('''SPNEGO'''), often pronounced "spenay-go", is a [[GSSAPI]] "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner. SPNEGO's most visible use is in [[Microsoft]]'s "HTTP Negotiate" [[authentication]] extension. It was first implemented in [[Internet Explorer]] 5.01 and IIS 5.0 and provided [[single sign-on]] capability later marketed as ''[[Integrated Windows Authentication]]''. The negotiable sub-mechanisms included [[NTLM]] and [[Kerberos (protocol)|Kerberos]], both used in [[Active Directory]]. The HTTP Negotiate extension was later implemented with similar support in: * [[Mozilla]] 1.7 beta<ref>[https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding]</ref> * [[Mozilla Firefox]] 0.9 * [[Konqueror]] 3.3.1<ref>{{cite web | url=http://article.gmane.org/gmane.comp.kde.devel.kfm/6300 | title=Konqueror has SPNEGO support | work=Apache and Kerberos tutorial | access-date=30 May 2005 | url-status=live | archive-url=https://web.archive.org/web/20050419055107/http://article.gmane.org/gmane.comp.kde.devel.kfm/6300 | archive-date=19 April 2005 }}</ref> * [[Google Chrome]] 6.0.472<ref>{{cite web | url=http://code.google.com/p/chromium/issues/detail?id=28282 | title=Support for SPNEGO authentication | work=Google Chrome Enhancement Request | access-date=20 November 2010 | url-status=live | archive-url=https://web.archive.org/web/20121111061907/http://code.google.com/p/chromium/issues/detail?id=28282 | archive-date=11 November 2012 }}</ref> == History == * 19 February 1996 β Eric Baize and Denis Pinkas publish the [[Internet Draft]] ''Simple GSS-API Negotiation Mechanism'' (draft-ietf-cat-snego-01.txt). * 17 October 1996 β The mechanism is assigned the [[object identifier]] ''1.3.6.1.5.5.2'' and is abbreviated '''snego'''. <!-- NOT spnego! --> * 25 March 1997 β Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip. * 22 April 1997 β The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" ('''spnego'''). * 16 May 1997 β Context flags are added ([[delegation (Security)|delegation]], mutual [[authentication|auth]], etc.). Defenses are provided against attacks on the new "preferred" mechanism. * 22 July 1997 β More context flags are added ([[Data integrity|integrity]] and [[confidentiality (Security)|confidentiality]]). * 18 November 1998 β The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list. * 4 March 1998 β An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional. * December 1998 ('''Final''') β [[Distinguished Encoding Rules|DER encoding]] is chosen to disambiguate how the [[Message Integrity Code|MIC]] is calculated. The draft is submitted for standardisation as RFC 2478. * October 2005 β Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478. ==Notes== {{Reflist}} == References == * {{cite web | title=Internet Drafts of RFC 4178 | work=All (Current & Expired) Internet Drafts Collection β Drafts | url=http://potaroo.net/ietf/idref/rfc4178/ | accessdate=23 August 2014}} * {{cite web | url=https://msdn.microsoft.com/en-us/library/ms995330.aspx | title=HTTP-Based Cross-Platform Authentication via the Negotiate Protocol | work=Microsoft Developer Network (MSDN) library | accessdate=8 October 2015}} * {{cite web | url= http://www.grolmsnet.de/kerbtut/| title=using mod_auth_kerb and Windows 2000/2003 as KDC | work=Tutorial | accessdate=2 December 2005}} == External links == * {{IETF RFC|4178|link=no}} ''The Simple and Protected GSS-API Negotiation Mechanism'' (obsoletes {{IETF RFC|2478|link=no}}). * {{IETF RFC|4559|link=no}} ''SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows'' {{DEFAULTSORT:Spnego}} [[Category:Cryptographic protocols]] [[Category:Computer access control protocols]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite web
(
edit
)
Template:IETF RFC
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)
Template:Use dmy dates
(
edit
)