SPNEGO: Difference between revisions
Content deleted Content added
m →References: accessdate parameter fix using AWB |
|||
| Line 44: | Line 44: | ||
== References == |
== References == |
||
* {{cite web | title=Internet Drafts of RFC 2478 | work=All (Current & Expired) Internet Drafts Collection - Drafts | url=http://potaroo.net/ietf/idref/rfc2478/ | |
* {{cite web | title=Internet Drafts of RFC 2478 | work=All (Current & Expired) Internet Drafts Collection - Drafts | url=http://potaroo.net/ietf/idref/rfc2478/ | accessdate=May 28, 2005}} |
||
* [https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding] |
* [https://bugzilla.mozilla.org/show_bug.cgi?id=17578 Mozilla bug 17578: I want Kerberos authentication and TGT forwarding] |
||
* {{cite web | url=http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp | title=HTTP-Based Cross-Platform Authentication via the Negotiate Protocol | work=Microsoft Developer Network (MSDN) library | |
* {{cite web | url=http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp | title=HTTP-Based Cross-Platform Authentication via the Negotiate Protocol | work=Microsoft Developer Network (MSDN) library | accessdate=May 28, 2005}} |
||
* {{cite web | url=http://article.gmane.org/gmane.comp.kde.devel.kfm/6300 | title=Konqueror has SPNEGO support | work=Apache and Kerberos tutorial | |
* {{cite web | url=http://article.gmane.org/gmane.comp.kde.devel.kfm/6300 | title=Konqueror has SPNEGO support | work=Apache and Kerberos tutorial | accessdate=May 30, 2005}} |
||
* {{cite web | url= http://www.grolmsnet.de/kerbtut/| title=using mod_auth_kerb and Windows 2000/2003 as KDC | work=Tutorial | accessdate=December 2 | accessyear=2005}} |
* {{cite web | url= http://www.grolmsnet.de/kerbtut/| title=using mod_auth_kerb and Windows 2000/2003 as KDC | work=Tutorial | accessdate=December 2 | accessyear=2005}} |
||
Revision as of 23:01, 14 June 2009
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.
The HTTP Negotiate extension was later implemented with similar support in:
- Mozilla 1.7 beta,
- Mozilla Firefox 0.9, and
- Konqueror 3.3.1.
History of the SPNEGO standard
- 19 February, 1996 - Eric Baize and Denis Pinkas publish the internet draft Simple GSS-API Negotiation Mechanism (draft-ietf-cat-snego-01.txt).
- 17 October, 1996 - The mechanism is assigned the object identifier 1.3.6.1.5.5.2 and is abbreviated snego.
- 25 March, 1997 - Optimistic piggybacking of one mechanism's initial token is added. This saves a round trip.
- 22 April, 1997 - The "preferred" mechanism concept is introduced. The draft standard's name is changed from just "Simple" to "Simple and Protected" (spnego).
- 16 May, 1997 - Context flags are added (delegation, mutual auth, etc.). Defenses are provided against attacks on the new "preferred" mechanism.
- 22 July, 1997 - More context flags are added (integrity and confidentiality).
- 18 November, 1998 - The rules of selecting the common mechanism are relaxed. Mechanism preference is integrated into the mechanism list.
- 4 March, 1998 - An optimisation is made for an odd number of exchanges. The mechanism list itself is made optional.
- Final December 1998 - DER encoding is chosen to disambiguate how the MIC is calculated. The draft is submitted for standardisation as RFC 2478.
- October 2005 - Interoperability with Microsoft implementations is addressed. Some constraints are improved and clarified and defects corrected. Published as RFC 4178, although it is now non-interoperable with strict implementations of now-obsoleted RFC 2478.
External links
- RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (obsoletes RFC 2478).
- RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
- Microsoft technical article on SPNEGO tokens
- Guide to using SPNEGO with Apache
- SPNEGO support in Mozilla
- mod_auth_kerb Apache module supporting SPNEGO
- Earlier drafts of draft-brezak-spnego-http-05.txt, since -05 is no longer available.
- Microsoft article on authorization data present in Kerberos tickets (PAC)
- SPNEGO and SSO articles
- COMMERCIAL SPNEGO for Tomcat, JBoss, WebSphere...
- [1] Security Site for Windows Integration Authentication with SSO
- Support for SPNEGO in Java GSS with Java 6.
- Open source Java Spnego library by Taglab.
- COMMERCIAL Plexcel - PHP Active Directory Integration
- WebSphere with a side of SPNEGO
- SPNEGO and credential delegation with Java
- Making use of SPNEGO in your J2EE and .NET Client Applications
References
- "Internet Drafts of RFC 2478". All (Current & Expired) Internet Drafts Collection - Drafts. Retrieved May 28, 2005.
- Mozilla bug 17578: I want Kerberos authentication and TGT forwarding
- "HTTP-Based Cross-Platform Authentication via the Negotiate Protocol". Microsoft Developer Network (MSDN) library. Retrieved May 28, 2005.
- "Konqueror has SPNEGO support". Apache and Kerberos tutorial. Retrieved May 30, 2005.
- "using mod_auth_kerb and Windows 2000/2003 as KDC". Tutorial. Retrieved December 2.
{{cite web}}: Check date values in:|accessdate=(help); Unknown parameter|accessyear=ignored (|access-date=suggested) (help)