1 - About

SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism.

  • SPNEGO is a standardized interface for authentication (like JNDI is for directory lookups).
  • The default implementation for SPNEGO under Windows is Kerberos (like LDAP is for JNDI).

In Microsoft terminology, “Windows Integrated Authentication” is used as a synonym for SPNEGO. Under Windows Integrated Authentication, either the Kerberos or NTLM protocols may be negotiated.

When a server receives a request from an Internet Explorer (IE 6.1 or greater) browser, it can request that the browser uses the SPNEGO protocol to authenticate itself. This protocol performs a Kerberos authentication via HTTP, and allows Internet Explorer to pass a delegated credential to allow a Web application to log in to subsequent Kerberized services on the user's behalf.

When an HTTP server wishes to perform SPNEGO, it returns a “401 Unauthorized” response to the HTTP request with the “WWW-Authorization: Negotiate” header. Internet Explorer then contacts the Ticket Granting Service (TGS) to obtain a service ticket.

It chooses a special Service Principal Name for the ticket request, which is:

HTTP/[email protected]

The returned ticket is then wrapped in a SPNEGO token, which is encoded and sent back to the server using the HTTP request. The token is unwrapped and the ticket is authenticated.

3 - Documentation / Reference

spnego.txt · Last modified: 2017/10/23 10:08 by gerardnico