Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. The HTTP Negotiate extension was later implemented with similar support in:


  1. 19 February 1996 – Eric Baize and Denis Pinkas publish the Internet Draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
  2. 17 October 1996 – The mechanism is assigned the object identifier and is abbreviated snego.
  3. 25 March 1997 – Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
  4. 22 April 1997 – The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
  5. 16 May 1997 – Context flags are added (delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism.
  6. 22 July 1997 – More context flags are added (integrity and confidentiality).
  7. 18 November 1998 – The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
  8. 4 March 1998 – An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.


  1. Mozilla bug 17578: I want Kerberos authentication and TGT forwarding
  2. "Konqueror has SPNEGO support". Apache and Kerberos tutorial. Retrieved 30 May 2005.
  3. "Support for SPNEGO authentication". Google Chrome Enhancement Request. Retrieved 20 November 2010.


External links

This article is issued from Wikipedia - version of the 11/3/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.