Microsoft Negotiate

Microsoft Negotiate is a security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. When an app calls into SSPI to sign-in a network, it can specify an SSP to process the request. If the app specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.

Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless one of the following conditions applies:

• It can't be used by one of the systems involved in the authentication.
• The calling app didn't provide sufficient information to use Kerberos.

To allow Negotiate to select the Kerberos security provider, the client app must provide one of the following:

• A service principal name (SPN).
• A user principal name (UPN).
• A NetBIOS account name as the target name.

Otherwise, Negotiate always selects the NTLM security provider.

A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.

• Allows the system to use the most secure available protocol.
• Ensures forward compatibility for the app.
• Ensures that the app exhibits behavior that is in accordance with the security policy set by the customer.