diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 7b6a1fc55..86c630f41 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -1209,13 +1209,12 @@ init_cred_loop(krb5_context context,
     /* Set a new nonce. */
     krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
     ctx->nonce &= 0xffffffff;
-    ctx->as_req.req_body.nonce = ctx->nonce;
-#if 0
-    krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));
-    ctx->pk_nonce &= 0xffffffff;
-#else
-    ctx->pk_nonce = ctx->nonce;
+#ifdef PKINIT
+    /* XXX check if it isn't the that nonce is an unsigned
+     * variable so its just a asn1 mismatch */
+    ctx->nonce &= 0x7fffffff;
 #endif
+    ctx->pk_nonce = ctx->nonce;
 
 #define MAX_PA_COUNTER 3