Microsoft Negotiate is a security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.
Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
To allow Negotiate to select the Kerberos security provider, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, Negotiate always selects the NTLM security provider.
A server that uses the Negotiate package is able to respond to client applications that specifically select either the Kerberos or NTLM security provider. However, a client application must know that a server supports the Negotiate package to request authentication using Negotiate. A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP.
Reasons to Use the Negotiate Package
- Allows the system to use the strongest (most secure) available protocol.
- Ensures forward compatibility for your application.
- Ensures that your application exhibits behavior that is in accordance with the security policy set by the customer.