SPNEGO

SPNEGO, short for Simple and Protected GSS-API Negotiation Mechanism, is a GSS-API mechanism designed to negotiate the choice of security mechanism between a client and a server. It allows two endpoints that implement GSS-API to agree on a common authentication method when multiple options are available, such as Kerberos v5 and NTLM. SPNEGO itself does not perform authentication; instead, it selects the underlying mechanism that will provide the authentication and protection services. The mechanism is defined in RFC 4178.

The negotiation works by exchanging SPNEGO tokens that carry a list of supported mechanisms and subsequent

SPNEGO is widely used to implement the HTTP Negotiate authentication scheme, enabling Kerberos-based authentication over HTTP

See also: GSS-API, Kerberos, NTLM, HTTP Negotiate.