Users that are members of at least one policy can only use mechanisms in which they have membership. Users that are not members of any security mechanism policy are not restricted in their use of security mechanisms.
The TDNEGO mechanism itself is not restricted by security mechanism policy, but the mechanisms it selects may be restricted. Users do not have to be permitted to use TDNEGO, but they do have to be permitted to use mechanisms that TDNEGO might negotiate for them. This means that users need to be members of the mechanisms they want TDNEGO to select for them. For example, if a user’s mechanism policy permits KRB5 and LDAP, then TDNEGO restricts the user to those mechanisms.
