An application that does not use login contexts to set local identity information does not need to certify its login contexts. Since an illegitimate security server is unlikely to know the key of a remote server principal with which the application may communicate, the application will simply be refused the service requested from the remote server principal. If local operating system identity information is assumed to be neither of interest nor of concern to an application, it may call sec_login_validate_identity( ), which does not attempt to verify the security server's knowledge of the host principal's key.
The sec_login_validate_identity( ) routine does not acquire a PTGT, unlike the sec_login_certify_identity( ) and sec_login_valid_and_cert_ident( ) routines. Instead, the PTGT is acquired when the application first makes an authenticated remote procedure call.