Microsoft Negotiate is a security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. When an app calls into SSPI to sign-in a network, it can specify an SSP to process the request. If the app specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.
Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless one of the following conditions applies:
- It can't be used by one of the systems involved in the authentication.
- The calling app didn't provide sufficient information to use Kerberos.
To allow Negotiate to select the Kerberos security provider, the client app must provide one of the following:
- A service principal name (SPN).
- A user principal name (UPN).
- A NetBIOS account name as the target name.
Otherwise, Negotiate always selects the NTLM security provider.
A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.
Reasons to Use the Negotiate Package
- Allows the system to use the most secure available protocol.
- Ensures forward compatibility for the app.
- Ensures that the app exhibits behavior that is in accordance with the security policy set by the customer.