diff --git a/appl/test/Makefile.am b/appl/test/Makefile.am
new file mode 100644
index 000000000..cd1de0e41
--- /dev/null
+++ b/appl/test/Makefile.am
@@ -0,0 +1,13 @@
+# $Id$
+
+AUTOHEADER_FLAGS = no-dependencies foreign
+
+INCLUDES = -I$(top_builddir)/include
+
+noinst_PROGRAMS = tcp_client tcp_server
+
+tcp_client_SOURCES = tcp_client.c
+
+tcp_server_SOURCES = tcp_server.c
+
+LDADD = -L$(top_builddir)/lib/krb5 -lkrb5 -L$(top_builddir)/lib/des -ldes -L$(top_builddir)/lib/asn1 -lasn1 -L$(top_builddir)/lib/roken -lroken
diff --git a/appl/test/tcp_client.c b/appl/test/tcp_client.c
new file mode 100644
index 000000000..77782b7be
--- /dev/null
+++ b/appl/test/tcp_client.c
@@ -0,0 +1,171 @@
+#include "test_locl.h"
+RCSID("$Id$");
+
+static void
+usage (void)
+{
+    errx (1, "Usage: %s [-p port] [-s service] host", __progname);
+}
+
+static int
+proto (int sock, const char *hostname, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname(%s)", hostname);
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername(%s)", hostname);
+
+    status = krb5_init_context(&context);
+    if (status)
+	errx (1, "krb5_init_context: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_cc_default (context, &ccache);
+    if (status)
+	errx (1, "krb5_cc_default: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	errx (1, "krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	errx (1, "krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_INST,
+				      &server);
+    if (status)
+	errx (1, "krb5_sname_to_principal: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_sendauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    NULL,
+			    server,
+			    AP_OPTS_MUTUAL_REQUIRED,
+			    NULL,
+			    NULL,
+			    ccache,
+			    NULL,
+			    NULL,
+			    NULL);
+    if (status)
+	errx (1, "krb5_sendauth: %s",
+	      krb5_get_err_text(context, status));
+
+}
+
+static int
+doit (const char *hostname, int port, const char *service)
+{
+    struct in_addr **h;
+    struct hostent *hostent;
+
+    hostent = gethostbyname (hostname);
+    if (hostent == NULL)
+	errx (1, "gethostbyname '%s' failed: %s",
+	      hostname,
+	      hstrerror(h_errno));
+
+    for (h = (struct in_addr **)hostent->h_addr_list;
+	*h != NULL;
+	 ++h) {
+	struct sockaddr_in addr;
+	int s;
+
+	memset (&addr, 0, sizeof(addr));
+	addr.sin_family = AF_INET;
+	addr.sin_port   = port;
+	addr.sin_addr   = **h;
+
+	s = socket (AF_INET, SOCK_STREAM, 0);
+	if (s < 0)
+	    err (1, "socket");
+	if (connect (s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+	    warn ("connect(%s)", hostname);
+	    close (s);
+	    continue;
+	}
+	return proto (s, hostname, service);
+    }
+    return 1;
+}
+
+int
+main(int argc, char **argv)
+{
+    int c;
+    int port = 0;
+    char *service = SERVICE;
+
+    set_progname (argv[0]);
+
+    while ((c = getopt (argc, argv, "p:s:")) != EOF) {
+	switch (c) {
+	case 'p': {
+	    struct servent *s = getservbyname (optarg, "tcp");
+
+	    if (s)
+		port = s->s_port;
+	    else {
+		char *ptr;
+
+		port = strtol (optarg, &ptr, 10);
+		if (port == 0 && ptr == optarg)
+		    errx (1, "Bad port `%s'", optarg);
+		port = htons(port);
+	    }
+	    break;
+	}
+	case 's':
+	    service = optarg;
+	    break;
+	default:
+	    usage ();
+	    break;
+	}
+    }
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 1)
+	usage ();
+
+    if (port == 0)
+	port = krb5_getportbyname (PORT, "tcp", htons(4711));
+
+    return doit (*argv, port, service);
+}
diff --git a/appl/test/tcp_server.c b/appl/test/tcp_server.c
new file mode 100644
index 000000000..131142ac4
--- /dev/null
+++ b/appl/test/tcp_server.c
@@ -0,0 +1,174 @@
+#include "test_locl.h"
+RCSID("$Id$");
+
+static void
+usage (void)
+{
+    errx (1, "Usage: %s [-p port] [-s service]", __progname);
+}
+
+static int
+proto (int sock, const char *service)
+{
+    struct sockaddr_in remote, local;
+    int addrlen;
+    krb5_address remote_addr, local_addr;
+    krb5_context context;
+    krb5_ccache ccache;
+    krb5_auth_context auth_context;
+    krb5_error_code status;
+    krb5_principal server;
+    krb5_ticket *ticket;
+    char *name;
+    char hostname[MAXHOSTNAMELEN];
+
+    addrlen = sizeof(local);
+    if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
+	|| addrlen != sizeof(local))
+	err (1, "getsockname)");
+
+    addrlen = sizeof(remote);
+    if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
+	|| addrlen != sizeof(remote))
+	err (1, "getpeername");
+
+    status = krb5_init_context(&context);
+    if (status)
+	errx (1, "krb5_init_context: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_auth_con_init (context, &auth_context);
+    if (status)
+	errx (1, "krb5_auth_con_init: %s",
+	      krb5_get_err_text(context, status));
+
+    local_addr.addr_type = AF_INET;
+    local_addr.address.length = sizeof(local.sin_addr);
+    local_addr.address.data   = &local.sin_addr;
+
+    remote_addr.addr_type = AF_INET;
+    remote_addr.address.length = sizeof(remote.sin_addr);
+    remote_addr.address.data   = &remote.sin_addr;
+
+    status = krb5_auth_con_setaddrs (context,
+				     auth_context,
+				     &local_addr,
+				     &remote_addr);
+    if (status)
+	errx (1, "krb5_auth_con_setaddr: %s",
+	      krb5_get_err_text(context, status));
+
+    if(gethostname (hostname, sizeof(hostname)) < 0)
+	err (1, "gethostname");
+
+    status = krb5_sname_to_principal (context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_INST,
+				      &server);
+    if (status)
+	errx (1, "krb5_sname_to_principal: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_recvauth (context,
+			    &auth_context,
+			    &sock,
+			    VERSION,
+			    server,
+			    0,
+			    NULL,
+			    &ticket);
+    if (status)
+	errx (1, "krb5_recvauth: %s",
+	      krb5_get_err_text(context, status));
+
+    status = krb5_unparse_name (context,
+				ticket->enc_part2.client,
+				&name);
+    if (status)
+	errx (1, "krb5_unparse_name: %s",
+	      krb5_get_err_text(context, status));
+
+    printf ("User is `%s'\n", name);
+    free (name);
+
+    return 0;
+}
+
+static int
+doit (int port, const char *service)
+{
+    int sock, sock2;
+    struct sockaddr_in my_addr;
+    int one = 1;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0)
+	err (1, "socket");
+
+    memset (&my_addr, 0, sizeof(my_addr));
+    my_addr.sin_family      = AF_INET;
+    my_addr.sin_port        = port;
+    my_addr.sin_addr.s_addr = INADDR_ANY;
+
+    if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0)
+	warn ("setsockopt SO_REUSEADDR");
+
+    if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0)
+	err (1, "bind");
+
+    if (listen (sock, 1) < 0)
+	err (1, "listen");
+
+    sock2 = accept (sock, NULL, NULL);
+    if (sock2 < 0)
+	err (1, "accept");
+
+    return proto (sock2, service);
+}
+
+int
+main(int argc, char **argv)
+{
+    int c;
+    int port = 0;
+    char *service = SERVICE;
+
+    set_progname (argv[0]);
+
+    while ((c = getopt (argc, argv, "p:s:")) != EOF) {
+	switch (c) {
+	case 'p': {
+	    struct servent *s = getservbyname (optarg, "tcp");
+
+	    if (s)
+		port = s->s_port;
+	    else {
+		char *ptr;
+
+		port = strtol (optarg, &ptr, 10);
+		if (port == 0 && ptr == optarg)
+		    errx (1, "Bad port `%s'", optarg);
+		port = htons(port);
+	    }
+	    break;
+	}
+	case 's':
+	    service = optarg;
+	    break;
+	default:
+	    usage ();
+	    break;
+	}
+    }
+    argc -= optind;
+    argv += optind;
+
+    if (argc != 0)
+	usage ();
+
+    if (port == 0)
+	port = krb5_getportbyname (PORT, "tcp", htons(4711));
+
+    return doit (port, service);
+}
diff --git a/appl/test/test_locl.h b/appl/test/test_locl.h
new file mode 100644
index 000000000..da808b71b
--- /dev/null
+++ b/appl/test/test_locl.h
@@ -0,0 +1,37 @@
+/* $Id$ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include <errno.h>
+#include <roken.h>
+#include <krb5.h>
+
+#define SERVICE "test"
+
+#define PORT "test"