QOP enforcement varies depending on the authentication mechanism used for the session, as shown in the following table.
| Mechanism | Enforcement Considerations |
|---|---|
| All mechanisms (without PROXY connection) | If the client does not specify confidentiality or integrity for a session, but a confidentiality or integrity QOP policy applies to the session, the system uses the applicable confidentiality or integrity. Involvement of specific security mechanisms can affect how the policy is enforced. |
| TD2, LDAP, and JWT | If the client specifies confidentiality or integrity, the system defaults to the DEFAULT QOP. If an applicable QOP policy requires a stronger QOP than the default, the system uses the stronger QOP. |
| Kerberos | If the client specifies, or applicable policy requires, confidentiality or integrity, the system uses it. However, the QOP is determined by Kerberos, regardless of the default QOP or the QOP specified in the applicable policy. |
| SPNEGO |