--- cyrus-sasl-2.1.24/plugins/gssapi.c.orig	2009-08-13 14:36:46.000000000 +0200
+++ cyrus-sasl-2.1.24/plugins/gssapi.c	2009-12-21 21:23:48.631598700 +0100
@@ -1616,8 +1616,18 @@
 	/* bit mask of server support */
 	serverhas = ((char *)output_token->value)[0];
 	
+	if (allowed >= K5_MAX_SSF && need == 0 && (serverhas & 6)) {
+      /* May be server wants as answer signing and encryption.
+       * This is a special case for MS AD-DCs where client should
+       * answer it can do what server can do but chooses encryption.
+       */
+	    oparams->encode = &gssapi_privacy_encode;
+	    oparams->decode = &gssapi_decode;
+	    /* FIX ME: Need to extract the proper value here */
+	    oparams->mech_ssf = K5_MAX_SSF;
+	    mychoice = (serverhas & 7);
 	/* if client didn't set use strongest layer available */
-	if (allowed >= K5_MAX_SSF && need <= K5_MAX_SSF && (serverhas & 4)) {
+  } else if (allowed >= K5_MAX_SSF && need <= K5_MAX_SSF && (serverhas & 4)) {
 	    /* encryption */
 	    oparams->encode = &gssapi_privacy_encode;
 	    oparams->decode = &gssapi_decode;