About
SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism.
- SPNEGO is a standardized interface for authentication (like JNDI is for directory lookups).
- The default implementation for SPNEGO under Windows is Kerberos (like LDAP is for JNDI).
In Microsoft terminology, “Windows Integrated Authentication” is used as a synonym for SPNEGO. Under Windows Integrated Authentication, either the Kerberos or NTLM protocols may be negotiated.
When a server receives a request from an Internet Explorer (IE 6.1 or greater) browser, it can request that the browser uses the SPNEGO protocol to authenticate itself. This protocol performs a Kerberos authentication via HTTP, and allows Internet Explorer to pass a delegated credential to allow a Web application to log in to subsequent Kerberized services on the user's behalf.
When an HTTP server wishes to perform SPNEGO, it returns a “401 Unauthorized” response to the HTTP request with the “WWW-Authorization: Negotiate” header. Internet Explorer then contacts the Ticket Granting Service (TGS) to obtain a service ticket.
It chooses a special Service Principal Name for the ticket request, which is:
HTTP/webserver@REALM
The returned ticket is then wrapped in a SPNEGO token, which is encoded and sent back to the server using the HTTP request. The token is unwrapped and the ticket is authenticated.