Snego, whose authentication service identifier is RPC_C_AUTHN_GSS_NEGOTIATE, does not actually provide authentication services itself. Instead, it takes a list of authentication services and negotiates a service that will work between the client and server. The authentication parameters are not used by Snego but are passed to the chosen authentication service, which does the actual authentication. Snego was standardized by the Internet Engineering Task Force (IETF) in December 1998, in document RFC 2478.
Snego is useful when you don't know what authentication services the remote computer can provide.
To use Snego, both the client and the server must specify Snego as the authentication service. The server specifies RPC_C_AUTHN_GSS_NEGOTIATE as the dwAuthnSvc member of one of the SOLE_AUTHENTICATION_SERVICE structures in the asAuthSvc array parameter that is passed to CoInitializeSecurity. The client can specify Snego by calling CoSetProxyBlanket and passing RPC_C_AUTHN_GSS_NEGOTIATE as the dwAuthnSvc parameter. The client should also provide a list of possible authentication services for Snego through the PackageList member of the SEC_WINNT_AUTH_IDENTITY_EX structure that is passed to the pAuthInfo parameter in the call to CoSetProxyBlanket. If pAuthInfo is NULL, Snego composes a list of authentication services from the security packages installed on the computer. Then Snego sends the list of authentication services to the server, compares the list to the server's available authentication services, and picks an authentication service to use for the connection.
Schannel cannot be on the list of authentication services that Snego uses.
Clients can also specify Snego when they call CoInitializeSecurity. The dwAuthnSvc and pAuthInfo parameters of CoSetProxyBlanket become members of a SOLE_AUTHENTICATION_INFO structure that is passed to CoInitializeSecurity through its pAuthList parameter. The details of the values of those members are the same as described in the preceding paragraph.
If Snego is used, calls to CoQueryProxyBlanket or CoQueryClientBlanket will return Snego as the authentication service, rather than the actual authentication service that Snego picked for establishing the connection.