1

I'm aware that SPNEGO is de-facto only used in the wild for Kerberos or NTLM. Is there any research / academic / educational example on how it can be also used for other mechanisms as well?

Eran Medan
  • 811
  • 1
  • 10
  • 19

1 Answers1

1

There isn't really any other way to use it other than how it was designed because then you're not using SPNEGO, but some other protocol you've invented.

What I think you're asking is whether there are other mechanisms used out in the wild other than Kerberos and NTLM, and the answer to that is yes. A handful that I'm aware of are

  • Digest
  • NegoEx (an extension to the negotiate protocol that provides more knobs)
  • PKU2U (Kerberos derivative)

There are probably more, but these are the ones that are majorly used.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • Yes, my phrasing was probably confusing, I indeed meant "whether there are other mechanisms used out in the wild other than Kerberos and NTLM" as an underlying mechanism under SPNEGO. Thanks! – Eran Medan Jul 17 '19 at 22:25
  • So, if I understand correctly, SPNEGO is non Kerberos/NTLM specific, but the SPNEGO HTTP Negotiate protocol (https://tools.ietf.org/html/rfc4559) is? – Eran Medan Jul 17 '19 at 22:33
  • 1
    No, RFC 4559 just describes how Kerberos is wrapped in SPNEGO. That doesn't preclude any additional protocols used. It just just doesn't describe how other protocols are used. Something worth looking at is the extender protocol: https://datatracker.ietf.org/doc/draft-zhu-negoex/ – Steve Jul 18 '19 at 02:35