Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory. The HTTP Negotiate extension was later implemented with similar support in:



  1. ^ Mozilla bug 17578: I want Kerberos authentication and TGT forwarding
  2. ^ "Konqueror has SPNEGO support". Apache and Kerberos tutorial. Archived from the original on 19 April 2005. Retrieved 30 May 2005.
  3. ^ "Support for SPNEGO authentication". Google Chrome Enhancement Request. Archived from the original on 11 November 2012. Retrieved 20 November 2010.