-validated agaist the server's keytab.
-
-Enable with: GssapiBasicAuth On
-Default: GssapiBasicAuth Off
-
-Example:
-<Location /gssapi>
- AuthType GSSAPI
- AuthName "Login"
- GssapiBasicAuth On
- GssapiCredStore keytab:/etc/httpd/http.keytab
- Require valid-user
-</Location>
+validated against the server's keytab.
+
+- **Enable with:** GssapiBasicAuth On
+- **Default:** GssapiBasicAuth Off
+
+#### Example
+ <Location /gssapi>
+ AuthType GSSAPI
+ AuthName "Login"
+ GssapiBasicAuth On
+ GssapiCredStore keytab:/etc/httpd/http.keytab
+ Require valid-user
+ </Location>
+
+
+### GssapiAllowedMech
+
+List of allowed mechanisms. This is useful to restrict the mechanism that
+can be used when credentials for multiple mechanisms are available.
+By default no mechanism is set, this means all locally available mechanisms
+are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp
+
+#### Example
+ GssapiAllowedMech krb5
+ GssapiAllowedMech ntlmssp
+
+
+### GssapiBasicAuthMech
+
+List of mechanisms against which Basic Auth is attempted. This is useful to
+restrict the mechanisms that can be used to attempt password auth.
+By default no mechanism is set, this means all locally available mechanisms
+are allowed, unless GssapiAllowedMech is set, in which case those are used.
+GssapiBasicAuthMech always takes precedence over GssapiAllowedMech.
+The recognized mechanism names are: krb5, iakerb, ntlmssp
+
+#### Example
+ GssapiBasicAuthMech krb5