Some servers may offer SASL EXTERNAL even though the connection has no client certificate. The client will prefer EXTERNAL (unless otherwise configured to enable only other specific mechs) if it was offered. In this situation the connection will then fail due to the lack of cert, as the server has erroneously offered the mech, though the actual issue may not be obvious to a user. The client can help avoid this user-gotcha by verifying the SSLSession has a local principal and not allowing EXTERNAL otherwise, instead using the other mechs that may be applicable.
Some servers may offer SASL EXTERNAL even though the connection has no client certificate. The client will prefer EXTERNAL (unless otherwise configured to enable only other specific mechs) if it was offered. In this situation the connection will then fail due to the lack of cert, as the server has erroneously offered the mech, though the actual issue may not be obvious to a user. The client can help avoid this user-gotcha by verifying the SSLSession has a local principal and not allowing EXTERNAL otherwise, instead using the other mechs that may be applicable.