Spnego is an SPNEGO and Kerberos plugin for Glassfish. SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. SPNEGO is a standard GSSAPI pseudo-mechanism for peers to determine which GSSAPI mechanisms are shared, select one and then establish a security context with it. Kerberos is a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner
While SPNEGO as a protocol can work with Kerberos and NTLM, this implementation only works with Kerberos.
If you have an existing security infrastructure based around Kerberos, it makes sense to use it wherever you can.
Kerberos provides Single Sign On out of the box. Many standard Unix services such as ssh are Kerberised. So are many commercial applications.
Apache is Kerberised with the mod_auth_kerb module.
Using SPNEGO with a JMAC compliant application server extends the single sign on capability to them.
For SPNEGO to authenticate you need a Kerberos ticket from a Kerberos Key Distribution Centre. This is always for a particular Kerberos domain.
This effectively limits the usefulness of SPNEGO to inhouse situations.
Client Kerberos configuration is required. Depending on the browser, configuration is also required.
In some situations it may be impractical to require these configurations.