Kerberos and SPNEGO

Kerberos is a network authentication protocol for client/server applications, and SPNEGO provides a mechanism for extending Kerberos to Web applications through the standard HTTP protocol.



Kerberos is an a authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.


Kerberos was developed by the Massachusetts Institute of Technology (MIT) as a solution to its network security problems. It was named after the Greek mythological character Kerberos (or Cerberus). Several versions of the protocol exist, and the latest one is version 5 - RFC 4120 released in 2005.


The idea is very simple. If you want a service, you need to have a ticket for that service. To obtain a ticket, you must contact the Ticket Granting Service (TGS) to obtain a service ticket. Once the ticket is obtained, you can use it to gain access to the intent service offered by a Service Server (SS).

Extracted from the TechNet of Microsoft site - Kerberos Explained.


Kerberos is normally deployed in a client/server environment. It is rarely used in web-applications and thin client environments.



Because of this, SPNEGO comes to the rescue. It stands for Simple and Protected GSS-API Negotiation Mechanism, which provides a mechanism for extending a Kerberos based single sign-on environment to web-applications.


The following diagrams shows how a client application obtains a service from a web-application through the standard HTTP protocol. Basically,

  • When an application (e.g. a browser) on the PC attempts to access a protected page on the web server, the server responds with an unauthorized response.
  • The application then requests a service ticket from the KDC, e.g. an Active Directory.
  • Once the required ticket is obtained, the application wraps it in a SPNEGO envelope and sends it over to the web server to request the same page again.
  • The server can then unpacks the envelope to retrieve the server ticket, and use it to authenticate the user.

Extracted from Jens Bo Friis presentation of SPNEGO authentication using JGSS



If you are interested in how Kerberos works, the following document illustrates the operation in a couple of simple diagrams.

A number of standards are available today that are related to the Kerberos authentication. They are:

  • RFC 4120 - The Kerberos Network Authentication Service (V5)
  • RFC 2743 - The Generic Security Services Application Program Interface (GSS-API)
  • RFC 4178 - The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
  • RFC 4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

Note: Microsoft supports the RFC 4559, which is a Microsoft version of SPNEGO with the ability to fall back to NTLM.