TDNEGO results in a mechanism other than TDNEGO being used, so the following applies:
- A user must not be restricted to using only TDNEGO in the network security policy, because TDNEGO always selects another mechanism; the user must be allowed to use the selected mechanism, or else the logon is not allowed.
- It is allowed, but not required, to add TDNEGO to the list of mechanisms a user is allowed to use; however, is recommended that TDNEGO not be specified as an allowed mechanism in the directory.
- Concerning QOP and enforced network security policy, note that QOP is not supported by all mechanisms. TDNEGO is one of the mechanisms that does not support QOP. However, any QOP restrictions in the security policy for the mechanism selected by TDNEGO do apply. For example, if TDNEGO selects TD2, and the security policy requires the user to use high level encryption, then that will be enforced.