Another reasonable behavior would be to see if the requested mechanism supports some kind of credential import. SPNEGO would implement this SPI; other mechansms probably wouldn't. That's a lot more work than failing out with GSS_S_BAD_MECH, of course.