logo_kerberos.gif

Projects/SPNEGO Hints

From K5Wiki
Jump to: navigation, search
This project was completed in release 1.7.


This project was implemented on the mskrb-integ branch in December 2008 and was merged onto the trunk in January 2009. This page serves to briefly describe the work after the fact.

SPNEGO is a GSSAPI pseudo-mechanism, documented in RFC 4178, which negotiates among other mechanisms (such as krb5) between a client and a server. The normal protocol sequence is for the initiator to send a list of supported mechanisms to the acceptor along with an optimistic token for the most preferred mechanism, then for the acceptor to choose a mechanism and continue or restart the context establishment process, and finally for message integrity codes to be exchanged (in some cases) to protect against downgrade attacks.

The Microsoft SPNEGO implementation supports an extension where the initiator can send a zero-length token to the acceptor to request a "negotiation hints" structure containing the server's name and list of supported mechanisms. Although this extension is not required by Microsoft products to our knowledge, some versions of Samba require it for SMB and LDAP.

The NegHints structure is documented in MS-SPNG.