In addition to support for Kerberos through its Active
Directory service, Microsoft has also provided extensions to Internet
Explorer that allow it to participate in a Kerberos-based
Single Sign-On (SSO) environment. When
a Web server receives a request from an Internet Explorer browser it can
request that the browser use the SPNEGO protocol to authenticate
itself. This protocol performs a Kerberos authentication via HTTP, and
allows Internet Explorer to pass a delegated credential to allow a web
application to log in to subsequent Kerberized services on the user's
behalf.
When an HTTP server wishes to perform SPNEGO, it returns a "401
Unauthorized" response to the HTTP request with the "WWW-Authorization:
Negotiate" header. Internet Explorer then contacts the Ticket Granting
Service (TGS) to obtain a service ticket. It chooses a special Service
Principal Name for the ticket request which is:
The returned ticket is then wrapped in an SPNEGO token which is encoded
and sent back to the server using an HTTP request. The token is unwrapped
and the ticket is authenticated. If mutual authentication is required, then
the web server can return an additional SPNEGO token for the client to verify.
Once authenticated, the page corresponding to the requested URL is returned.
SPNEGO provides a useful mechanism for extending a Single
Sign-On environment to Web applications. It is already supported in
Microsoft IIS for authentication to ASP or Web pages. In addition, the ability
to delegate credentials means that a web application can login to further
services transparently on the user's behalf, providing full end-to-end authentication.
Lastly, SPNEGO and HTTP can be used for authentication with Microsoft .NET
SOAP clients, providing Single
Sign-On for Web services.