diff --git a/lib/gssapi/ChangeLog b/lib/gssapi/ChangeLog
index 580393d96..772ced4cd 100644
--- a/lib/gssapi/ChangeLog
+++ b/lib/gssapi/ChangeLog
@@ -4,6 +4,14 @@
 	  KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
 	  growing indefinitely as no key is found with KEYTYPE_NULL
 
+	* compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
+	  no longer used (however the mechListMIC behaviour is broken,
+	  rfc2478bis support requires the code in the mechglue branch)
+
+	* init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
+	* gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
 2005-01-05  Luke Howard  <lukeh@padl.com>
 
 	* 8003.c: use symbolic name for checksum type
diff --git a/lib/gssapi/compat.c b/lib/gssapi/compat.c
index 26e91937a..fa357df73 100644
--- a/lib/gssapi/compat.c
+++ b/lib/gssapi/compat.c
@@ -124,8 +124,7 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
 /*
  * For compatability with the Windows SPNEGO implementation, the
  * default is to ignore the mechListMIC unless the initiator specified
- * GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, CFX or configured in krb5.conf
- * with the option
+ * CFX or configured in krb5.conf with the option
  * 	[gssapi]require_mechlist_mic=target-principal-pattern.
  * The option is valid for both initiator and acceptor.
  */
@@ -137,22 +136,17 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
     OM_uint32 ret;
     int is_cfx = 0;
 
-    if (ctx->flags & GSS_C_EXPECTING_MECH_LIST_MIC_FLAG) {
-	/* initiator insisted on mechListMIC */
+    gsskrb5_is_cfx(ctx, &is_cfx);
+    if (is_cfx) {
+	/* CFX session key was used */
 	*require_mic = TRUE;
     } else {
-	gsskrb5_is_cfx(ctx, &is_cfx);
-	if (is_cfx) {
-	    /* CFX session key was used */
-	    *require_mic = TRUE;
-	} else {
-	    *require_mic = FALSE;
-	    ret = check_compat(minor_status, ctx->target, 
-			       "require_mechlist_mic",
-			       require_mic, TRUE);
-	    if (ret)
-		return ret;
-	}
+	*require_mic = FALSE;
+	ret = check_compat(minor_status, ctx->target, 
+			   "require_mechlist_mic",
+			   require_mic, TRUE);
+	if (ret)
+	    return ret;
     }
     *minor_status = 0;
     return GSS_S_COMPLETE;
diff --git a/lib/gssapi/gssapi.h b/lib/gssapi/gssapi.h
index b573d205c..3bc000e2a 100644
--- a/lib/gssapi/gssapi.h
+++ b/lib/gssapi/gssapi.h
@@ -116,14 +116,6 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_C_PROT_READY_FLAG 128
 #define GSS_C_TRANS_FLAG 256
 
-/*
- * GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - Setting this flag causes the
- * initiator to insist that the acceptor integrity protect the mechanism
- * list when using SPNEGO. This can be forced on by setting the 
- * [gssapi]require_mechlist_mic option in krb5.conf.
- */
-#define GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 0x10000
-
 /*
  * Credential usage options
  */
diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c
index 9302e4f6d..773c91b4c 100644
--- a/lib/gssapi/init_sec_context.c
+++ b/lib/gssapi/init_sec_context.c
@@ -725,8 +725,8 @@ spnego_reply
     }
 
     /*
-     * Verify the mechListMIC if GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
-     * was specified or CFX was used; or if local policy dictated so.
+     * Verify the mechListMIC if CFX was used; or if local policy
+     * dictated so.
      */
     ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
 					   &require_mic);
diff --git a/lib/gssapi/krb5/ChangeLog b/lib/gssapi/krb5/ChangeLog
index 580393d96..772ced4cd 100644
--- a/lib/gssapi/krb5/ChangeLog
+++ b/lib/gssapi/krb5/ChangeLog
@@ -4,6 +4,14 @@
 	  KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
 	  growing indefinitely as no key is found with KEYTYPE_NULL
 
+	* compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
+	  no longer used (however the mechListMIC behaviour is broken,
+	  rfc2478bis support requires the code in the mechglue branch)
+
+	* init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
+	* gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
+
 2005-01-05  Luke Howard  <lukeh@padl.com>
 
 	* 8003.c: use symbolic name for checksum type
diff --git a/lib/gssapi/krb5/compat.c b/lib/gssapi/krb5/compat.c
index 26e91937a..fa357df73 100644
--- a/lib/gssapi/krb5/compat.c
+++ b/lib/gssapi/krb5/compat.c
@@ -124,8 +124,7 @@ gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on)
 /*
  * For compatability with the Windows SPNEGO implementation, the
  * default is to ignore the mechListMIC unless the initiator specified
- * GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, CFX or configured in krb5.conf
- * with the option
+ * CFX or configured in krb5.conf with the option
  * 	[gssapi]require_mechlist_mic=target-principal-pattern.
  * The option is valid for both initiator and acceptor.
  */
@@ -137,22 +136,17 @@ _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
     OM_uint32 ret;
     int is_cfx = 0;
 
-    if (ctx->flags & GSS_C_EXPECTING_MECH_LIST_MIC_FLAG) {
-	/* initiator insisted on mechListMIC */
+    gsskrb5_is_cfx(ctx, &is_cfx);
+    if (is_cfx) {
+	/* CFX session key was used */
 	*require_mic = TRUE;
     } else {
-	gsskrb5_is_cfx(ctx, &is_cfx);
-	if (is_cfx) {
-	    /* CFX session key was used */
-	    *require_mic = TRUE;
-	} else {
-	    *require_mic = FALSE;
-	    ret = check_compat(minor_status, ctx->target, 
-			       "require_mechlist_mic",
-			       require_mic, TRUE);
-	    if (ret)
-		return ret;
-	}
+	*require_mic = FALSE;
+	ret = check_compat(minor_status, ctx->target, 
+			   "require_mechlist_mic",
+			   require_mic, TRUE);
+	if (ret)
+	    return ret;
     }
     *minor_status = 0;
     return GSS_S_COMPLETE;
diff --git a/lib/gssapi/krb5/gssapi.h b/lib/gssapi/krb5/gssapi.h
index b573d205c..3bc000e2a 100644
--- a/lib/gssapi/krb5/gssapi.h
+++ b/lib/gssapi/krb5/gssapi.h
@@ -116,14 +116,6 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_C_PROT_READY_FLAG 128
 #define GSS_C_TRANS_FLAG 256
 
-/*
- * GSS_C_EXPECTING_MECH_LIST_MIC_FLAG - Setting this flag causes the
- * initiator to insist that the acceptor integrity protect the mechanism
- * list when using SPNEGO. This can be forced on by setting the 
- * [gssapi]require_mechlist_mic option in krb5.conf.
- */
-#define GSS_C_EXPECTING_MECH_LIST_MIC_FLAG 0x10000
-
 /*
  * Credential usage options
  */
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 9302e4f6d..773c91b4c 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -725,8 +725,8 @@ spnego_reply
     }
 
     /*
-     * Verify the mechListMIC if GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
-     * was specified or CFX was used; or if local policy dictated so.
+     * Verify the mechListMIC if CFX was used; or if local policy
+     * dictated so.
      */
     ret = _gss_spnego_require_mechlist_mic(minor_status, *context_handle,
 					   &require_mic);