datatracker.ietf.org
Sign in
Version 5.3.1, 2014-04-16
Report a bug

SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
RFC 4559

Document type: RFC - Informational (June 2006; Errata)
Document stream: ISE
Last updated: 2013-03-02
Other versions: plain text, pdf, html

ISE State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 4559 (Informational)
Responsible AD: Scott Hollenbeck
Send notices to: karthikj@microsoft.com

Network Working Group                                      K. Jaganathan
Request for Comments: 4559                                        L. Zhu
Category: Informational                                        J. Brezak
                                                   Microsoft Corporation
                                                               June 2006

           SPNEGO-based Kerberos and NTLM HTTP Authentication
                          in Microsoft Windows

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes how the Microsoft Internet Explorer (MSIE)
   and Internet Information Services (IIS) incorporated in Microsoft
   Windows 2000 use Kerberos for security enhancements of web
   transactions.  The Hypertext Transport Protocol (HTTP) auth-scheme of
   "negotiate" is defined here; when the negotiation results in the
   selection of Kerberos, the security services of authentication and,
   optionally, impersonation (the IIS server assumes the windows
   identity of the principal that has been authenticated) are performed.
   This document explains how HTTP authentication utilizes the Simple
   and Protected GSS-API Negotiation mechanism.  Details of Simple And
   Protected Negotiate (SPNEGO) implementation are not provided in this
   document.

Table of Contents

   1. Introduction ....................................................2
   2. Conventions Used in This Document ...............................2
   3. Access Authentication ...........................................2
      3.1. Reliance on the HTTP/1.1 Specification .....................2
   4. HTTP Negotiate Authentication Scheme ............................2
      4.1. The WWW-Authenticate Response Header .......................2
   5. Negotiate Operation Example .....................................4
   6. Security Considerations .........................................5
   7. Normative References ............................................6

Jaganathan, et al.           Informational                      [Page 1]
RFC 4559        HTTP Authentication in Microsoft Windows       June 2006

1.  Introduction

   Microsoft has provided support for Kerberos authentication in
   Microsoft Internet Explorer (MSIE) and Internet Information Services
   (IIS), in addition to other mechanisms.  This provides the benefits
   of the Kerberos v5 protocol for Web applications.

   Support for Kerberos authentication is based on other previously
   defined mechanisms, such as SPNEGO Simple And Protected Negotiate
   (SPNEGO) [RFC4178] and the Generic Security Services Application
   Program Interface(GSSAPI).

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to
   be interpreted as described in [RFC2119].

3.  Access Authentication

3.1.  Reliance on the HTTP/1.1 Specification

   This specification is a companion to the HTTP/1.1 specification
   [RFC2616], and it builds on the authentication mechanisms defined in
   [RFC2617].  It uses the augmented BNF section of that document (2.1),
   and it relies on both the non-terminals defined in that document and
   other aspects of the HTTP/1.1 specification.

4.  HTTP Negotiate Authentication Scheme

   Use of Kerberos is wrapped in an HTTP auth-scheme of "Negotiate".
   The auth-params exchanged use data formats defined for use with the
   GSS-API [RFC2743].  In particular, they follow the formats set for
   the SPNEGO [RFC4178] and Kerberos [RFC4121] mechanisms for GSSAPI.
   The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens
   that the specific mechanism type specifies.

   The current implementation of this protocol is limited to the use of
   SPNEGO with the Kerberos and Microsoft(NT Lan Manager) NTLM
   protocols.

4.1.  The WWW-Authenticate Response Header

   If the server receives a request for an access-protected object, and
   if an acceptable Authorization header has not been sent, the server
   responds with a "401 Unauthorized" status code, and a "WWW-
   Authenticate:" header as per the framework described in [RFC2616].
   The initial WWW-Authenticate header will not carry any gssapi-data.

Jaganathan, et al.           Informational                      [Page 2]

[include full document text]