SPNEGO Extended Negotiation (NEGOEX) Security Mechanism

Document Type Expired Internet-Draft (individual)
Authors Michiko Short  , Larry Zhu  , Kevin Damour  , Dave McPherson 
Last updated 2011-01-03
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document defines the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. NEGOEX enhances the capabilities of SPNEGO by providing a security mechanism which can be negotiated by the SPNEGO protocol as defined in RFC4178. The NEGOEX protocol itself is a security mechanism negotiated by SPNEGO. When the NEGOEX security mechanism is selected by SPNEGO, NEGOEX provides a method allowing selection of a common authentication protocol based on factors beyond just the fact that both client and server support a given security mechanism. NEGOEX OPTIONALLY adds a pair of meta-data messages for each negotiated security mechanism. The meta-data exchange allows security mechanisms to exchange auxiliary information such as trust configurations, thus NEGOEX provides more flexibility than just exchanging security mechanism OIDs in SPNEGO. NEGOEX preserves the optimistic token semantics of SPNEGO and applies that recursively. Consequently a context establishment mechanism token can be included in the initial NEGOEX message, and NEGOEX does not require an extra round-trip when the initiator's optimistic token is accepted by the target. Similar to SPNEGO, NEGOEX defines a few new GSS-API extensions that a security mechanism MUST support in order to be negotiated by NEGOEX. This document defines these GSS-API extensions. Unlike SPNEGO however, NEGOEX defines its own way for signing the protocol messages in order to protect the protocol negotiation. The NEGOEX message signing or verification can occur before the security context for the negotiated real security mechanism is fully established.


Michiko Short (michikos@microsoft.com)
Larry Zhu (lzhu@microsoft.com)
Kevin Damour (kdamour@microsoft.com)
Dave McPherson (davemm@microsoft.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)