diff --git a/lib/gssapi/get_mic.c b/lib/gssapi/get_mic.c
index 1c3fdf628..64f7db7b7 100644
--- a/lib/gssapi/get_mic.c
+++ b/lib/gssapi/get_mic.c
@@ -270,7 +270,7 @@ OM_uint32 gss_get_mic
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_get_localkey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/lib/gssapi/gssapi_locl.h b/lib/gssapi/gssapi_locl.h
index 8400b0a00..790431ef8 100644
--- a/lib/gssapi/gssapi_locl.h
+++ b/lib/gssapi/gssapi_locl.h
@@ -209,12 +209,8 @@ gss_verify_mic_internal(OM_uint32 * minor_status,
 			char * type);
 
 OM_uint32
-gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
-		       krb5_keyblock **key);
-
-OM_uint32
-gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
-		      krb5_keyblock **key);
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+		    krb5_keyblock **key);
 
 krb5_error_code
 gss_address_to_krb5addr(OM_uint32 gss_addr_type,
diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c
index 1c3fdf628..64f7db7b7 100644
--- a/lib/gssapi/krb5/get_mic.c
+++ b/lib/gssapi/krb5/get_mic.c
@@ -270,7 +270,7 @@ OM_uint32 gss_get_mic
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_get_localkey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/lib/gssapi/krb5/gssapi_locl.h b/lib/gssapi/krb5/gssapi_locl.h
index 8400b0a00..790431ef8 100644
--- a/lib/gssapi/krb5/gssapi_locl.h
+++ b/lib/gssapi/krb5/gssapi_locl.h
@@ -209,12 +209,8 @@ gss_verify_mic_internal(OM_uint32 * minor_status,
 			char * type);
 
 OM_uint32
-gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
-		       krb5_keyblock **key);
-
-OM_uint32
-gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
-		      krb5_keyblock **key);
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+		    krb5_keyblock **key);
 
 krb5_error_code
 gss_address_to_krb5addr(OM_uint32 gss_addr_type,
diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
index f3a1b989f..cf82141e9 100644
--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
@@ -35,44 +35,6 @@
 
 RCSID("$Id$");
 
-OM_uint32
-gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
-		       krb5_keyblock **key)
-{
-    krb5_keyblock *skey;
-
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
-	if (context_handle->more_flags & LOCAL)
-	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-					  context_handle->auth_context, 
-					  &skey);
-	else
-	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-					 context_handle->auth_context, 
-					 &skey);
-    } else {
-	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				      context_handle->auth_context, 
-				      &skey);
-	if(skey == NULL)
-	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-					 context_handle->auth_context, 
-					 &skey);
-	if(skey == NULL)
-	    krb5_auth_con_getkey(gssapi_krb5_context,
-				 context_handle->auth_context, 
-				 &skey);
-	if(skey == NULL) {
-	    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-	    return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
-	}
-    }
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-    *key = skey;
-    return 0;
-}
-
 static OM_uint32
 unwrap_des
            (OM_uint32 * minor_status,
@@ -413,7 +375,7 @@ OM_uint32 gss_unwrap
 
   if (qop_state != NULL)
       *qop_state = GSS_C_QOP_DEFAULT;
-  ret = gss_krb5_get_remotekey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c
index 3afc2e0bc..850604aaf 100644
--- a/lib/gssapi/krb5/verify_mic.c
+++ b/lib/gssapi/krb5/verify_mic.c
@@ -278,7 +278,7 @@ gss_verify_mic_internal
     OM_uint32 ret;
     krb5_keytype keytype;
 
-    ret = gss_krb5_get_remotekey(context_handle, &key);
+    ret = gss_krb5_get_subkey(context_handle, &key);
     if (ret) {
 	gssapi_krb5_set_error_string ();
 	*minor_status = ret;
diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c
index 01a9f3e88..bf46171d0 100644
--- a/lib/gssapi/krb5/wrap.c
+++ b/lib/gssapi/krb5/wrap.c
@@ -36,29 +36,36 @@
 RCSID("$Id$");
 
 OM_uint32
-gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
-		       krb5_keyblock **key)
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+		    krb5_keyblock **key)
 {
-    krb5_keyblock *skey;
+    krb5_keyblock *skey = NULL;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
-	if (context_handle->more_flags & LOCAL)
-	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-					  context_handle->auth_context, 
-					  &skey);
-	else
-	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-					 context_handle->auth_context, 
-					 &skey);
+    if (context_handle->more_flags & LOCAL) {
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
     } else {
 	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
 				     context_handle->auth_context, 
 				     &skey);
-	if(skey == NULL)
+    }
+    /*
+     * Only use the initiator subkey or ticket session key if
+     * an acceptor subkey was not required.
+     */
+    if (skey == NULL &&
+	(context_handle->more_flags & ACCEPTOR_SUBKEY) == 0) {
+	if (context_handle->more_flags & LOCAL) {
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context,
+					 &skey);
+	} else {
 	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-					  context_handle->auth_context, 
+					  context_handle->auth_context,
 					  &skey);
+	}
 	if(skey == NULL)
 	    krb5_auth_con_getkey(gssapi_krb5_context,
 				 context_handle->auth_context, 
@@ -66,7 +73,7 @@ gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
     }
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
     if(skey == NULL)
-	return GSS_S_FAILURE;
+	return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
     *key = skey;
     return 0;
 }
@@ -109,7 +116,7 @@ gss_wrap_size_limit (
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_get_localkey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
@@ -448,7 +455,7 @@ OM_uint32 gss_wrap
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_get_localkey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/lib/gssapi/unwrap.c b/lib/gssapi/unwrap.c
index f3a1b989f..cf82141e9 100644
--- a/lib/gssapi/unwrap.c
+++ b/lib/gssapi/unwrap.c
@@ -35,44 +35,6 @@
 
 RCSID("$Id$");
 
-OM_uint32
-gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
-		       krb5_keyblock **key)
-{
-    krb5_keyblock *skey;
-
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
-	if (context_handle->more_flags & LOCAL)
-	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-					  context_handle->auth_context, 
-					  &skey);
-	else
-	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-					 context_handle->auth_context, 
-					 &skey);
-    } else {
-	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				      context_handle->auth_context, 
-				      &skey);
-	if(skey == NULL)
-	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-					 context_handle->auth_context, 
-					 &skey);
-	if(skey == NULL)
-	    krb5_auth_con_getkey(gssapi_krb5_context,
-				 context_handle->auth_context, 
-				 &skey);
-	if(skey == NULL) {
-	    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-	    return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
-	}
-    }
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-    *key = skey;
-    return 0;
-}
-
 static OM_uint32
 unwrap_des
            (OM_uint32 * minor_status,
@@ -413,7 +375,7 @@ OM_uint32 gss_unwrap
 
   if (qop_state != NULL)
       *qop_state = GSS_C_QOP_DEFAULT;
-  ret = gss_krb5_get_remotekey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/lib/gssapi/verify_mic.c b/lib/gssapi/verify_mic.c
index 3afc2e0bc..850604aaf 100644
--- a/lib/gssapi/verify_mic.c
+++ b/lib/gssapi/verify_mic.c
@@ -278,7 +278,7 @@ gss_verify_mic_internal
     OM_uint32 ret;
     krb5_keytype keytype;
 
-    ret = gss_krb5_get_remotekey(context_handle, &key);
+    ret = gss_krb5_get_subkey(context_handle, &key);
     if (ret) {
 	gssapi_krb5_set_error_string ();
 	*minor_status = ret;
diff --git a/lib/gssapi/wrap.c b/lib/gssapi/wrap.c
index 01a9f3e88..bf46171d0 100644
--- a/lib/gssapi/wrap.c
+++ b/lib/gssapi/wrap.c
@@ -36,29 +36,36 @@
 RCSID("$Id$");
 
 OM_uint32
-gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
-		       krb5_keyblock **key)
+gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
+		    krb5_keyblock **key)
 {
-    krb5_keyblock *skey;
+    krb5_keyblock *skey = NULL;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
-	if (context_handle->more_flags & LOCAL)
-	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-					  context_handle->auth_context, 
-					  &skey);
-	else
-	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-					 context_handle->auth_context, 
-					 &skey);
+    if (context_handle->more_flags & LOCAL) {
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
     } else {
 	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
 				     context_handle->auth_context, 
 				     &skey);
-	if(skey == NULL)
+    }
+    /*
+     * Only use the initiator subkey or ticket session key if
+     * an acceptor subkey was not required.
+     */
+    if (skey == NULL &&
+	(context_handle->more_flags & ACCEPTOR_SUBKEY) == 0) {
+	if (context_handle->more_flags & LOCAL) {
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context,
+					 &skey);
+	} else {
 	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-					  context_handle->auth_context, 
+					  context_handle->auth_context,
 					  &skey);
+	}
 	if(skey == NULL)
 	    krb5_auth_con_getkey(gssapi_krb5_context,
 				 context_handle->auth_context, 
@@ -66,7 +73,7 @@ gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
     }
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
     if(skey == NULL)
-	return GSS_S_FAILURE;
+	return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
     *key = skey;
     return 0;
 }
@@ -109,7 +116,7 @@ gss_wrap_size_limit (
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_get_localkey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
@@ -448,7 +455,7 @@ OM_uint32 gss_wrap
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_get_localkey(context_handle, &key);
+  ret = gss_krb5_get_subkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;