What is SPNEGO and GSSAPI / Kerberos

Michael B Allen mba2000 at ioplex.com
Thu Mar 1 02:05:50 EST 2007


On Thu, 1 Mar 2007 11:53:24 +0530
Gayal <gayal.rupasinghe at gmail.com> wrote:

> Hello everybody,
> 
> I have a small doubt that i'd like clear before my presentation for my
> university lecturers.
> 
> This is regarding Kerbeos. I have seen some ppl in this list use the word
> GSSAPI and SPNEGO along with Kerberos.
> 
> What does GSSAPI and SPNEGO means?
> 
> I ve read that GSSAPI is a generic API for doing client-server
> authentication.
> Is GSSAPI is a standard which govern the Client - Serve Authentication and
> protocols liks NTLM and Kerberos are based on this?
> 
> Which one is the Original one GSSAPI or SPNEGO?

GSSAPI is an abstract interface backed by one or more "mechanisms". So
you write your code to use GSSAPI and specify the mechanism you want by
OID. GSSAPI mechanisms include but are not limited to Kerberos 5, OTP,
RPCSEC, NTLMSSPP and SPKM. I personally have only ever seen Kerberos 5
and NTLMSSP used.

SPNEGO is a GSSAPI "pseudo mechanism" used to negotiate one of a number
of possible real mechanisms. SPNEGO was popularized almost entirely by
Microsoft Windows which uses it to allow initiators and acceptors to
negotiate either Kerberos or NTLMSSP mechanisms.

NTLMSSP is a messaging protocol used to encapsulate and negotiate options
for exchanging the data associated with the NTLM challenge and response
authentication protocol.

SSPI is a programming API used by Microsoft Windows systems to perform a
variety of security related operations such as authentication. The tokens
generated and accepted by the SSPI are mostly compatible with the GSSAPI
(e.g. an SSPI client on Windows can authenticate with a GSSAPI server
on UNIX).

That covers most of the nomenclature I think.

Mike

PS: Do not copy this verbatim into your presentation or your instructor
may give you an F- for plagorizing wikipedia (I'm not plagorizing since
I wrote the wikipedia article this came from :-).

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/



More information about the Kerberos mailing list