Using the SPNEGO Policy

Learn how to use the SPNEGO policy to authenticate a downstream service.

About Policies Managing Policies About Operational Policies

For information about using policies in the context of the developer portal, see Business Policies.

Table of Contents

  1. Introduction
  2. Configuration


The SPNEGO policy is an Operational policy that implements the Microsoft-authored SPNEGO WS-Policy assertion (see It states the requirement of supporting the SPNEGO Negotiate authenticate scheme.

Not all services and their consumers can support both the NTLM and Kerberos options for SPNEGO. It is only required that both parties support at least one option in common. For example:

  • Intermediary for Microsoft (IMS) can support both.
  • Network Director can only support the Kerberos option.

The subject category of the identity used in the negotiation is End-User and is not configurable.

The Kerberos Support in Policy Manager 7.1 and Kerberos Support in Policy Manager 8.0 documents include a variety of different Kerberos usage scenarios that illustrate usage of the SPNEGO Policy.


Let's take a quick walkthrough of the SPNEGO Policy configuration process to get you started.

Step 1: Add Policy / Use System Policy

  • In Policy Manager, to create an SPNEGO Policy instance, go to Policies > Operational Policies and choose Add Policy.

Note: The SPNEGO Policy does not require any configuration.

Step 2: Attach Policy

After you've saved your policy, you can attach it to a downstream web service or operation that you would like to capture roll-up data for.

Step 3: Test Policy and View Monitoring Data

After you've attached the SPNEGO Policy to a service or operation, send a request to your service and go to the Services > Monitoring section to view the results for Logs, Real Time Charts, and Historical Charts. For more information on using the monitoring functions, refer to the Policy Manager Online Help, available via the Help button.

Back to top