Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
service
Impressum
Datenschutz
Haftungsausschluss
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
You have two cows
IE Domain Registry
Think Subscription
Font family (HTML)
Chain-of-responsibilit...
Source code
Alensha
recommendation
Freenet DSL
Who's Online
9 user(s) are online (8 user(s) are browsing encyclopedia)

Members: 0
Guests: 9

more...
partner

SPNEGO

SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is a internet standard GSSAPI pseudo-mechanism for peers to determine which GSSAPI mechanisms are shared, select one and then establish a security context with it. SPNEGO is sometimes pronounced or spelt spengo .

SPNEGO s most visible use is in the HTTP Negotiate extension defined by Microsoft s expired internet draft [http://www.ietf.org/internet-drafts/draft-brezak-spnego-http-05.txt draft-brezak-spnego-http-05.txt]. This authentication extension was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Windows Integrated Authentication . The negotiable sub-mechanisms included NTLM and Kerberos (protocol), both used in Active Directory.

The HTTP Negotiate extension was later implemented with similar support in Mozilla 1.7beta, Mozilla Firefox 0.9, and Konqueror 3.3.1.

= History of the SPNEGO standard =

  • 01. 19 February, 1996 - Eric Baize and Denis Pinkas publish the internet draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
  • 02. 17 October, 1996 - The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
  • 03. 25 March, 1997 - Optimistic piggybacking of one mechanism s initial token is added. This saves a round trip.
  • 04. 22 April, 1997 - The preferred mechanism concept is introduced. The draft standard s name is changed from just Simple to Simple and Protected (spnego).
  • 05. 16 May, 1997 - Context flags are added (delegation (Security), mutual authentication, etc.). Defences are provided against attacks on the new preferred mechanism.
  • 06. 22 July, 1997 - More context flags are added (integrity and confidentiality).
  • 07. 18 November, 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
  • 08. 4 March, 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
  • Final December 1998 - DER encoding is chosen to disambiguate how the integrity is calculated. The draft is submitted for standardisation as RFC 2478.

    • = External links =

  • RFC 2478 The Simple and Protected GSS-API Negotiation Mechanism
  • [http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-2.asp Microsoft technical article on SPNEGO tokens]
  • [http://www.vintela.com/technologies/spnego.php Vintela description of SPNEGO]
  • [http://www.mozilla.org/projects/netlib/integrated-auth.html SPNEGO support in Mozilla]
  • [http://rc.vintela.com/topics/apache/mod_auth_vas/ Apache module for supporting SPNEGO]
  • [http://modauthkerb.sourceforge.net/ mod_auth_kerb Apache module supporting SPNEGO]
  • [http://potaroo.net/ietf/idref/draft-brezak-spnego-http/ Earlier drafts of draft-brezak-spnego-http-05.txt, since -05 is no longer available.]
  • [http://msdn.microsoft.com/library/default.aspurl=/library/en-us/dnkerb/html/MSDN_PAC.asp Microsoft article on authorization data present in Kerberos tickets (PAC)]
  • [http://appliedcrypto.com/articles/pac/ms_kerberos_pac.pdf PAC (Privilege Attribute Certificate) in a Java Web Server World]
  • [http://www.matrix.org.cn/blog/cas] Security Site for Windows Integration Authentication with SSO

    • = References =

  • [https://bugzilla.mozilla.org/show_bug.cgiid=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding]
  • *