SPNEGO

Description

SPNEGO is an HTTP authentication mechanism which uses GSS-API to select an underlying mechanism such as Kerberos or NTLM. It is supported by Firefox and Chromium, and by Apache if the mod_auth_kerb module is installed.

SPNEGO is also known as ‘integrated authentication’ or ‘negotiate authentication’. Be aware that it does not by itself protect the HTTP request or response from tampering. For this and other reasons it should normally be used in combination with an encryption mechanism such as TLS/SSL.

microHOWTOs

• Configure Apache to use Kerberos authentication
• Configure Chromium to authenticate using SPNEGO and Kerberos
• Configure Firefox to authenticate using SPNEGO and Kerberos

See also

• GSS-API
• Kerberos

Further reading

• E Baize and D Pinkas, The Simple and Protected GSS-API Negotiation Mechanism, RFC 2478, IETF, December 1998
• Integrated Authentication, Mozilla Developer Network

• Conventions
• Privacy
• Legal