Authentication - (SPNEGO|WNA)


SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism.

  • SPNEGO is a standardized interface for authentication (like JNDI is for directory lookups).
  • The default implementation for SPNEGO under Windows is Kerberos (like LDAP is for JNDI).

In Microsoft terminology, “Windows Integrated Authentication” is used as a synonym for SPNEGO. Under Windows Integrated Authentication, either the Kerberos or NTLM protocols may be negotiated.

When a server receives a request from an Internet Explorer (IE 6.1 or greater) browser, it can request that the browser uses the SPNEGO protocol to authenticate itself. This protocol performs a Kerberos authentication via HTTP, and allows Internet Explorer to pass a delegated credential to allow a Web application to log in to subsequent Kerberized services on the user's behalf.

When an HTTP server wishes to perform SPNEGO, it returns a “401 Unauthorized” response to the HTTP request with the “WWW-Authorization: Negotiate” header. Internet Explorer then contacts the Ticket Granting Service (TGS) to obtain a service ticket.

It chooses a special Service Principal Name for the ticket request, which is:


The returned ticket is then wrapped in a SPNEGO token, which is encoded and sent back to the server using the HTTP request. The token is unwrapped and the ticket is authenticated.

Documentation / Reference

Discover More
Authentication - Method / Protocol / Scheme

The authentication methods / construct / protocol validates the identity of a user (ie validates who you are). The method is implemented by a (identify|authentication) provider. In the traditional...

Share this page:
Follow us:
Task Runner