https://dirkjanm.io/a-different-way-of-abusing-zerologon/ shows that the protocol layering allows access to this line: https://git.samba.org/?p=samba.git;a=blob;f=libcli/auth/credentials.c#l872 via SamLogonWithFlags(), which is not restricted to schannel. I think we should fail the operation, but perhaps this doesn't matter given how strictly we lock down secure channel these days.