What is SPNEGO and GSSAPI / Kerberos

Gayal gayal.rupasinghe at gmail.com
Thu Mar 1 02:53:19 EST 2007 

Who is officially governing the GSSAPI and SPNEGO standards? Is it IETF?

On 3/1/07, Michael B Allen <mba2000 at ioplex.com> wrote:
>
> On Thu, 1 Mar 2007 11:53:24 +0530
> Gayal <gayal.rupasinghe at gmail.com> wrote:
>
> > Hello everybody,
> >
> > I have a small doubt that i'd like clear before my presentation for my
> > university lecturers.
> >
> > This is regarding Kerbeos. I have seen some ppl in this list use the
> word
> > GSSAPI and SPNEGO along with Kerberos.
> >
> > What does GSSAPI and SPNEGO means?
> >
> > I ve read that GSSAPI is a generic API for doing client-server
> > authentication.
> > Is GSSAPI is a standard which govern the Client - Serve Authentication
> and
> > protocols liks NTLM and Kerberos are based on this?
> >
> > Which one is the Original one GSSAPI or SPNEGO?
>
> GSSAPI is an abstract interface backed by one or more "mechanisms". So
> you write your code to use GSSAPI and specify the mechanism you want by
> OID. GSSAPI mechanisms include but are not limited to Kerberos 5, OTP,
> RPCSEC, NTLMSSPP and SPKM. I personally have only ever seen Kerberos 5
> and NTLMSSP used.
>
> SPNEGO is a GSSAPI "pseudo mechanism" used to negotiate one of a number
> of possible real mechanisms. SPNEGO was popularized almost entirely by
> Microsoft Windows which uses it to allow initiators and acceptors to
> negotiate either Kerberos or NTLMSSP mechanisms.
>
> NTLMSSP is a messaging protocol used to encapsulate and negotiate options
> for exchanging the data associated with the NTLM challenge and response
> authentication protocol.
>
> SSPI is a programming API used by Microsoft Windows systems to perform a
> variety of security related operations such as authentication. The tokens
> generated and accepted by the SSPI are mostly compatible with the GSSAPI
> (e.g. an SSPI client on Windows can authenticate with a GSSAPI server
> on UNIX).
>
> That covers most of the nomenclature I think.
>
> Mike
>
> PS: Do not copy this verbatim into your presentation or your instructor
> may give you an F- for plagorizing wikipedia (I'm not plagorizing since
> I wrote the wikipedia article this came from :-).
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
>



-- 
Gayal Rupasinghe
SU-APIIT
"Only wimps use tape backup: real men just upload their important stuff  on
ftp, and let the rest of the world mirror it"
http://Gayal.zapto.org

More information about the Kerberos mailing list