Home > Uncategorized > Troubleshooting HTTP Simple and Protected Negotiation Mechanism

Troubleshooting HTTP Simple and Protected Negotiation Mechanism

February 1st, 2011

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)

1.       A client requests (HTTP GET) a page from a server;
2.       The server returns HTTP code 401 along with a header: “WWW-Authenticate: Negotiate” (Authentication Required, and we can negotiate);
3.       The client the re-sends the request (HTTP GET) but this time with an authorisation header (“Authorization: Negotiate “) along with three “MechTypes” (for example MS Kerberos 5, Kerberos 5 and NTLMSSP);

4.       The server authenticates the client using one of the MechTypes (for example “supportedMech” used may be for an IIS server MS Kerberos 5), returning an HTTP 200 (OK) along with the last authenticate header plus the data requested.

The next HTTP GET asks for another page and the procedure is repeated. This is normal behaviour as many HTTP client implementations make a separate connection per object request and the authentication mechanism used (the GET/401/GET) is normal for “SPNEGO” authentication (meaning Simple and Protected GSSAPI Negotiation Mechanism).

Wireshark filter to determine authentication method used in SPNEGO

Wireshark filter: spnego.supportedMech == 1.3.6.1.4.1.311.2.2.10

Object Identifiers (OID) for MechTypes:

1.2.840.113554.1.2.2 (Kerberos 5)
1.2.840.48018.1.2.2 (Microsoft Kerberos 5)
1.3.5.1.5.2 (Kerberos 5 OID 2)
1.3.6.1.4.1.311.2.2.10 (NLMP NTLM)

Categories: Uncategorized Tags:
Comments are closed.