> So what you are saying is that pre-authentication, there is a protocol > negotiation phase that includes an exchange that will define the > authentication scheme to be used. > SPNEGO is an rfc-defined mechanism to do exactly this. CAP_EXTENDED_SECURITY in nt5 SMB server use SPNEGO, now. DCE/RPC uses some basic form of "hey, i'm going to use this encryption: like it or lump it" but at least you can dynamically say that different forms of encryption _can_ be used.
