Using the SPNEGO Policy

Learn how to use the SPNEGO policy to authenticate a downstream service.

For information about using policies in the context of the developer portal, see Business Policies.

Table of Contents

  1. Introduction
  2. Configuration
  3. Activating a policy
  4. Attaching a policy


The SPNEGO policy is an Operational policy that implements the Microsoft-authored SPNEGO WS-Policy assertion (see It states the requirement of supporting the SPNEGO Negotiate authenticate scheme.

Not all services and their consumers can support both the NTLM and Kerberos options for SPNEGO. It is only required that both parties support at least one option in common. For example:

  • Intermediary for Microsoft (IMS) can support both.
  • Network Director can only support the Kerberos option.

The subject category of the identity used in the negotiation is End-User and is not configurable.

The Kerberos Support in Policy Manager 7.1 and Kerberos Support in Policy Manager 8.0 documents include a variety of different Kerberos usage scenarios that illustrate usage of the SPNEGO Policy.


Let's take a quick walkthrough of the SPNEGO Policy configuration process to get you started.

Step 1: Add Policy / Use System Policy

  • In Policy Manager, to create an SPNEGO Policy instance, go to Policies > Operational Policies and choose Add Policy.

Note: The SPNEGO Policy does not require any configuration.

Step 2: Attach Policy

After you've saved your policy, activate it. You can then attach it to a downstream web service or operation that you would like to capture roll-up data for.

Step 3: Test Policy and View Monitoring Data

After you've attached the SPNEGO Policy to a service or operation, send a request to your service and go to the Services > Monitoring section to view the results for Logs, Real Time Charts, and Historical Charts. For more information on using the monitoring functions, refer to the Policy Manager Online Help, available via the Help button.

Back to top

Activating a policy

When you create and configure a policy, the policy is in Draft state. When the policy configuration is complete, activate the policy: click Activate Policy and then confirm. See Activate a Policy.

A policy in Draft state is not available for general use. Once you activate the policy, it is in Active state and is available for use.

Back to top

Attaching a policy

To use the policy, go to the Policies folder in the respective organization and attach the policy to a web service, binding, or binding operation.

Back to top