TDNEGO automatically determines the correct mechanism to use in the following situations:
- If a user is not sure which security mechanism is required by mechanism policy in the external directory the user can select TDNEGO.
- If a user has different passwords for Kerberos and LDAP and is not sure which password goes with which mechanism the user can select TDNEGO.
- If a user wants to do a single sign-on (SSO) but does not know which mechanisms support SSO the user can select TDNEGO without providing credentials and TDNEGO automatically uses the appropriate mechanism.
- If a client application does not support mechanism selection, the site can set the default negotiating mechanism to TDNEGO at either the client or at the server.