diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index 8335d137b..bc066b353 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -191,7 +191,6 @@ _kdc_gss_rd_padata(astgs_request_t r,
 {
     krb5_error_code ret;
     size_t size;
-    KDC_REQ_BODY kdc_req_body;
 
     OM_uint32 minor;
     gss_client_params *gcp = NULL;
@@ -232,11 +231,8 @@ _kdc_gss_rd_padata(astgs_request_t r,
 
     _krb5_gss_data_to_buffer(&pa->padata_value, &input_token);
 
-    kdc_req_body = r->req.req_body;
-    kdc_req_body.nonce = 0;
-
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, cb.application_data.value,
-                       cb.application_data.length, &kdc_req_body,
+                       cb.application_data.length, &r->req.req_body,
                        &size, ret);
     heim_assert(ret || size == cb.application_data.length,
                 "internal asn1 encoder error");
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index d67104a3f..515bbbd21 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -1211,7 +1211,6 @@ gss_pa_step(krb5_context context,
     krb5_data req_body;
     PA_DATA *pa;
     krb5_data *input_token;
-    KDC_REQ_BODY kdc_req_body;
 
     krb5_data_zero(&req_body);
     krb5_data_zero(output_token);
@@ -1239,16 +1238,8 @@ gss_pa_step(krb5_context context,
 	goto out;
     }
 
-    /*
-     * Zero the nonce before encoding, as the nonce may change between
-     * AS-REQs and we don't know which step the GSS mechanism will
-     * honor the channel binding data.
-     */
-    kdc_req_body = ctx->as_req.req_body;
-    kdc_req_body.nonce = 0;
-
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, req_body.data, req_body.length,
-		       &kdc_req_body, &len, ret);
+		       &ctx->as_req.req_body, &len, ret);
     if (ret)
 	goto out;
     heim_assert(req_body.length == len, "ASN.1 internal error");