diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 53855ca04..84a839aa3 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -422,11 +422,6 @@ init_auth
 	goto failure;
     }
 
-    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
-    if (ret)
-	goto failure;
-
-
     /*
      * This is hideous glue for (NFS) clients that wants to limit the
      * available enctypes to what it can support (encryption in
@@ -469,6 +464,10 @@ init_auth
 
     ctx->lifetime = ctx->kcred->times.endtime;
 
+    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+    if (ret)
+	goto failure;
+
     ret = _gsskrb5_lifetime_left(minor_status,
 				 context,
 				 ctx->lifetime,