diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index 626afa938..9459a3209 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -74,12 +74,9 @@ _gsskrb5_register_acceptor_identity (const char *identity)
 }
 
 void
-_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx)
+_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int acceptor)
 {
     krb5_keyblock *key;
-    int acceptor = (ctx->more_flags & LOCAL) == 0;
-
-    *is_cfx = 0;
 
     if (acceptor) {
 	if (ctx->auth_context->local_subkey)
@@ -108,7 +105,8 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx)
     case ETYPE_ARCFOUR_HMAC_MD5_56:
 	break;
     default :
-	*is_cfx = 1;
+        ctx->more_flags |= IS_CFX;
+
 	if ((acceptor && ctx->auth_context->local_subkey) ||
 	    (!acceptor && ctx->auth_context->remote_subkey))
 	    ctx->more_flags |= ACCEPTOR_SUBKEY;
@@ -210,7 +208,8 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
 				  ctx->auth_context,
 				  &seq_number);
 
-    _gsskrb5i_is_cfx(ctx, &is_cfx);
+    _gsskrb5i_is_cfx(ctx, 1);
+    is_cfx = (ctx->more_flags & IS_CFX);
 
     ret = _gssapi_msg_order_create(minor_status,
 				   &ctx->order,
@@ -526,7 +525,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	krb5_data outbuf;
 	int use_subkey = 0;
 	
-	_gsskrb5i_is_cfx(ctx, &is_cfx);
+	_gsskrb5i_is_cfx(ctx, 1);
+	is_cfx = (ctx->more_flags & IS_CFX);
 	
 	if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
 	    use_subkey = 1;
diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h
index 6db842395..a9ce231bd 100644
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -64,7 +64,8 @@ typedef struct {
          COMPAT_OLD_DES3_SELECTED = 8,
 	 ACCEPTOR_SUBKEY = 16,
 	 RETRIED = 32,
-	 CLOSE_CCACHE = 64
+	 CLOSE_CCACHE = 64,
+	 IS_CFX = 128
   } more_flags;
   enum gss_ctx_id_t_state {
       /* initiator states */
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index dfa0e935e..d71582c3a 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -257,7 +257,8 @@ gsskrb5_initiator_ready(
 
     krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
 
-    _gsskrb5i_is_cfx(ctx, &is_cfx);
+    _gsskrb5i_is_cfx(ctx, 0);
+    is_cfx = (ctx->more_flags & IS_CFX);
 
     ret = _gssapi_msg_order_create(minor_status,
 				   &ctx->order,
@@ -759,7 +760,8 @@ repl_mutual
     krb5_free_ap_rep_enc_part (context,
 			       repl);
 
-    _gsskrb5i_is_cfx(ctx, &is_cfx);
+    _gsskrb5i_is_cfx(ctx, 0);
+    is_cfx = (ctx->more_flags & IS_CFX);
     if (is_cfx) {
 	krb5_keyblock *key = NULL;
 
diff --git a/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 8d4070629..395eda393 100644
--- a/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -242,7 +242,7 @@ static OM_uint32 inquire_sec_context_has_updated_spnego
      * mechanism.
      */
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    _gsskrb5i_is_cfx(context_handle, &is_updated);
+    is_updated = (context_handle->more_flags & IS_CFX);
     if (is_updated == 0) {
 	krb5_keyblock *acceptor_subkey;
 
@@ -282,7 +282,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
-    _gsskrb5i_is_cfx(context_handle, &is_cfx);
+    is_cfx = (context_handle->more_flags & IS_CFX);
 
     sp = krb5_storage_emem();
     if (sp == NULL) {