diff --git a/lib/gssapi/ntlm/crypto.c b/lib/gssapi/ntlm/crypto.c
index 20f7377b7..a8c670c50 100644
--- a/lib/gssapi/ntlm/crypto.c
+++ b/lib/gssapi/ntlm/crypto.c
@@ -122,24 +122,30 @@ _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
 void
 _gss_ntlm_set_keys(ntlm_ctx ctx)
 {
+    int acceptor;
+
     if (ctx->sessionkey.length == 0)
 	return;
 
+    acceptor = !(ctx->status & STATUS_CLIENT);
+
     ctx->status |= STATUS_SESSIONKEY;
 
     if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
-	_gss_ntlm_set_key(&ctx->u.v2.send, 1,
+	_gss_ntlm_set_key(&ctx->u.v2.send, acceptor,
 			  (ctx->flags & NTLM_NEG_KEYEX),
 			  ctx->sessionkey.data,
 			  ctx->sessionkey.length);
-	_gss_ntlm_set_key(&ctx->u.v2.recv, 0,
+	_gss_ntlm_set_key(&ctx->u.v2.recv, !acceptor,
 			  (ctx->flags & NTLM_NEG_KEYEX),
 			  ctx->sessionkey.data,
 			  ctx->sessionkey.length);
     } else {
+	ctx->u.v1.crypto_send.seq = 0;
 	RC4_set_key(&ctx->u.v1.crypto_send.key,
 		    ctx->sessionkey.length,
 		    ctx->sessionkey.data);
+	ctx->u.v1.crypto_recv.seq = 0;
 	RC4_set_key(&ctx->u.v1.crypto_recv.key,
 		    ctx->sessionkey.length,
 		    ctx->sessionkey.data);
diff --git a/lib/gssapi/ntlm/init_sec_context.c b/lib/gssapi/ntlm/init_sec_context.c
index 5135f7bbf..954057e2a 100644
--- a/lib/gssapi/ntlm/init_sec_context.c
+++ b/lib/gssapi/ntlm/init_sec_context.c
@@ -286,6 +286,7 @@ _gss_ntlm_init_sec_context
 	    *minor_status = EINVAL;
 	    return GSS_S_FAILURE;
 	}
+	ctx->status = STATUS_CLIENT;
 	*context_handle = (gss_ctx_id_t)ctx;
 
 	if (initiator_cred_handle != GSS_C_NO_CREDENTIAL) {
@@ -485,24 +486,8 @@ _gss_ntlm_init_sec_context
 	    }
 	}
 
-	if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
-	    ctx->status |= STATUS_SESSIONKEY;
-	    _gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
-			      ctx->sessionkey.data,
-			      ctx->sessionkey.length);
-	    _gss_ntlm_set_key(&ctx->u.v2.recv, 1, (ctx->flags & NTLM_NEG_KEYEX),
-			      ctx->sessionkey.data,
-			      ctx->sessionkey.length);
-	} else {
-	    ctx->status |= STATUS_SESSIONKEY;
-	    RC4_set_key(&ctx->u.v1.crypto_recv.key,
-			ctx->sessionkey.length,
-			ctx->sessionkey.data);
-	    RC4_set_key(&ctx->u.v1.crypto_send.key,
-			ctx->sessionkey.length,
-			ctx->sessionkey.data);
-	}
 
+	_gss_ntlm_set_keys(ctx);
 
 
 	ret = heim_ntlm_encode_type3(&type3, &data, NULL);
diff --git a/lib/gssapi/ntlm/set_sec_context_option.c b/lib/gssapi/ntlm/set_sec_context_option.c
index 372ad9ffa..199e72247 100644
--- a/lib/gssapi/ntlm/set_sec_context_option.c
+++ b/lib/gssapi/ntlm/set_sec_context_option.c
@@ -53,7 +53,6 @@ _gss_ntlm_set_sec_context_option(OM_uint32 *minor_status,
 	return GSS_S_NO_CONTEXT;
 
     if (gss_oid_equal(object, GSS_C_NTLM_RESET_CRYPTO)) {
-	/* OM_uint32 verify = *((OM_uint32 *)value->value); */
 	_gss_ntlm_set_keys(ctx);
 	return GSS_S_COMPLETE;
     } else