diff --git a/lib/gssapi/ntlm/accept_sec_context.c b/lib/gssapi/ntlm/accept_sec_context.c
index 881f7f1b0..606b2a0b0 100644
--- a/lib/gssapi/ntlm/accept_sec_context.c
+++ b/lib/gssapi/ntlm/accept_sec_context.c
@@ -111,6 +111,14 @@ _gss_ntlm_accept_sec_context
 	    return major_status;
 	*context_handle = (gss_ctx_id_t)ctx;
 	
+	/* check if the mechs is allowed by remote service */
+	major_status = (*ctx->server->nsi_probe)(minor_status, ctx->ictx, NULL);
+	if (major_status) {
+	    heim_ntlm_free_type1(&type1);
+	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
+	    return major_status;
+	}
+
 	data.data = input_token_buffer->value;
 	data.length = input_token_buffer->length;
 	
@@ -128,14 +136,6 @@ _gss_ntlm_accept_sec_context
 	    return GSS_S_FAILURE;
 	}
 
-	major_status = (*ctx->server->nsi_probe)(minor_status, ctx->ictx, NULL);
-	if (major_status) {
-	    heim_ntlm_free_type1(&type1);
-	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
-	    return major_status;
-	}
-
-
 	if (type1.flags & NTLM_NEG_SIGN)
 	    ctx->gssflags |= GSS_C_CONF_FLAG;
 	if (type1.flags & NTLM_NEG_SIGN)