The Generic Security Service Application Program Interface ( GSSAPI , also GSS-API ) is an application programming interface for programs to access security services.
6-589: Simple and Protected GSSAPI Negotiation Mechanism ( SPNEGO ), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in
12-641: A phased manner. SPNEGO's most visible use is in Microsoft 's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication . The negotiable sub-mechanisms included NTLM and Kerberos , both used in Active Directory . The HTTP Negotiate extension was later implemented with similar support in: GSSAPI The GSSAPI
18-440: Is an IETF standard that addresses the problem of many similar but incompatible security services in use as of 2005 . The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPI implementations - usually in the form of libraries installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only
24-489: The vendor-independent GSSAPI. If the security implementation ever needs replacing, the application need not be rewritten. The definitive feature of GSSAPI applications is the exchange of opaque messages ( tokens ) which hide the implementation detail from the higher-level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can usually travel over an insecure network as
30-639: The identity of the remote user or remote host. The GSSAPI describes about 45 procedure calls. Significant ones include: The GSSAPI is standardized for the C (RFC 2744) language. Java implements the GSSAPI as JGSS, the Java Generic Security Services Application Program Interface. Some limitations of GSSAPI are: Anticipating new security mechanisms, the GSSAPI includes a negotiating pseudo mechanism , SPNEGO , that can discover and use new mechanisms not present when
36-542: The mechanisms provide inherent message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context is established. Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server. Typical protections guaranteed by GSSAPI wrapping include confidentiality (secrecy) and integrity (authenticity). The GSSAPI can also provide local guarantees about
#994005