Kerberos: The Definitive Guide by Jason Garman

GSSAPI solves the problem of providing a single API to different authentication mechanisms. However, it does not solve the problem of negotiating which mechanism to use. Indeed, for GSSAPI to work, the two applications communicating with each other must know and agree ahead of time what authentication mechanism they plan to use. Since most GSSAPI implementations only support one mechanism anyway (namely, Kerberos 5), this is usually not a problem. However, if there are multiple mechanisms to choose from, a method is needed to securely negotiate an authentication mechanism that is mutually supported between both client and server. SPNEGO, documented in RFC 2478, performs this function.

Microsoft includes an implementation of SPNEGO in its Kerberos and SSPI implementation in Windows 2000 and above. Currently there is no widely accepted open source SPNEGO implementation for Unix, but work is ongoing to produce one. In addition, Microsoft has some sample code on its web site that provides a simple way to parse SPNEGO messages as part of its three-part article on HTTP authentication through the Negotiate protocol, available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp. Many Microsoft-based products, including Exchange SMTP, file services through SMB, and web authentication with IE and IIS, use SPNEGO to negotiate an authentication mechanism.