Microsoft Negotiate is a security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. When an app calls into SSPI to sign-in a network, it can specify an SSP to process the request. If the app specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.
Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless one of the following conditions applies:
It can't be used by one of the systems involved in the authentication.
The calling app didn't provide sufficient information to use Kerberos.
To allow Negotiate to select the Kerberos security provider, the client app must provide one of the following:
Otherwise, Negotiate always selects the NTLM security provider.
A server that uses the Negotiate package is able to respond to client apps that specifically select either the Kerberos or NTLM security provider. However, a client app must know that a server supports the Negotiate package to request authentication using Negotiate. A server that doesn't support Negotiate can't always respond to requests from clients that specify Negotiate as the SSP.
Reasons to Use the Negotiate Package
Allows the system to use the most secure available protocol.
Ensures forward compatibility for the app.
Ensures that the app exhibits behavior that is in accordance with the security policy set by the customer.
This module focuses on maintaining security in an Active Directory environment. It covers things from permissions management to authentication methods to identifying problematic accounts.