SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism,) often pronounced "spen-go", is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.
The HTTP Negotiate extension was later implemented with similar support in:
- Mozilla 1.7 beta
- Mozilla Firefox 0.9
- Konqueror 3.3.1
- Google Chrome 6.0.472
Read more about SPNEGO: History