>>>>> "Nicolas" == Nicolas Williams via RT writes: Nicolas> Which brings us back to a discussion we had at Cthon03: Nicolas> why not always decode the ap-req and use Nicolas> krb5_rd_req_dec() instead of krb5_rd_req(). Not really. Or at least I fail to see how your comment is actually related to the bug or the code. Note that the code in question already has access to the server principal from the ap_req because it is in the path that is decoding it. Correct solutions include: * Removivg that code path and not sending back an error token if the ap_req cannot be read. * Grabbing the server principal out of the ap-req not out of the credential. What I'll probably do when I get around to it is grab the the server princ out of the ap-req if cred->princ is null.