You can create security mechanism policies to restrict the mechanisms available to users when they log on to the database.
Users that are members of at least one policy can only use mechanisms in which they have membership. Users that are not members of any security mechanism policy are not restricted in their use of security mechanisms.
The TDNEGO mechanism itself is not restricted by security mechanism policy, but the mechanisms it selects may be restricted. Users do not have to be permitted to use TDNEGO, but they do have to be permitted to use mechanisms that TDNEGO might negotiate for them, so users need to be members of the mechanisms they want TDNEGO to pick for them. For example, if a user’s mechanism policy permits KRB5 and LDAP, then TDNEGO will restrict the user to those mechanisms.
To create a mechanism policy:
- Create the mechanisms container. See Creating the Mechanisms Container.
- Create mechanism objects in the mechanism container. See Creating Mechanism Objects in the Mechanisms Container.
- Specify the users that are members of the mechanism. See Adding Member Users to a Mechanism Policy.