Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)<\/p>\n
1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A client requests (HTTP GET) a page from a server;
\n2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The server returns HTTP code 401 along with a header: \u201cWWW-Authenticate: Negotiate\u201d (Authentication Required, and we can negotiate);
\n3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The client the re-sends the request (HTTP GET) but this time with an authorisation header (\u201cAuthorization: Negotiate \u201c) along with three \u201cMechTypes\u201d (for example MS Kerberos 5, Kerberos 5 and NTLMSSP);<\/p>\n
4.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The server authenticates the client using one of the MechTypes (for example \u201csupportedMech\u201d used may be for an IIS server MS Kerberos 5), returning an HTTP 200 (OK) along with the last authenticate header plus the data requested.<\/p>\n
The next HTTP GET asks for another page and the procedure is repeated. This is normal behaviour as many HTTP client implementations make a separate connection per object request and the authentication mechanism used (the GET\/401\/GET) is normal for \u201cSPNEGO\u201d authentication (meaning Simple and Protected GSSAPI Negotiation Mechanism).<\/p>\n
Wireshark filter to determine authentication method used in SPNEGO<\/strong><\/p>\n Wireshark filter: spnego.supportedMech == 1.3.6.1.4.1.311.2.2.10<\/p>\n Object Identifiers (OID) for MechTypes:<\/p>\n 1.2.840.113554.1.2.2 (Kerberos 5) Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) 1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A client requests (HTTP GET) a page from a server; 2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The server returns HTTP code 401 along with a header: \u201cWWW-Authenticate: Negotiate\u201d (Authentication Required, and we can negotiate); 3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The client the re-sends the request (HTTP GET) but this time with an authorisation header (\u201cAuthorization: Negotiate […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1485"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1485"}],"version-history":[{"count":4,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1485\/revisions"}],"predecessor-version":[{"id":1489,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1485\/revisions\/1489"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1485"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n1.2.840.48018.1.2.2 (Microsoft Kerberos 5)
\n1.3.5.1.5.2 (Kerberos 5 OID 2)
\n1.3.6.1.4.1.311.2.2.10 (NLMP NTLM)<\/p>\n","protected":false},"excerpt":{"rendered":"