There exists a flag in both kerberos and ntlmssp that can be used by a client to instruct the server to not impersonate as the user. quote from rfc4757: GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the server that it should only allow the server application to identify the client by name and ID, but not to impersonate the client. the ntlm side: "Identify: A Boolean setting that indicates that the caller wants the server to know the identity of the caller, but that the server not be allowed to impersonate the caller to resources on that system. Setting this flag results in the NTLMSSP_NEGOTIATE_IDENTIFY flag being set. Indicates that the GSS_C_IDENTIFY_FLAG flag was set in the GSS_Init_sec_context call, as discussed in [RFC4757] section 7.1, and results in the GSS_C_IDENTIFY_FLAG flag set in the authenticator's checksum field ([RFC4757] section 7.1)." My first idea how this could be impemented is as following: Introduce a new GENSEC_FEATURE_IDENTIFY_ONLY Setting this feature on a client enables either GSS_C_INDETIFY_FLAG or NTLMSS_NEGOTIATE_IDENTIFY. The client then needs to insist the server confirms that flag (for heimdal that probably is already done, so setting GSS_C_IDENTIFY_FLAG in gss_want_feature should be enough in source3/librpc/crypto/gse.c and auth4/gensec/gensec_gssapi.c), for ntlm we need to add that feature to the required features (I think this is in auth/ntlmssp). Setting this feature on a server confirms that the application indeed does not impersonate (and as consequence confirm the feature if requested by the client)