Is the application passing in non-null deleg_cred_handle but null ret_flags? I would suspect that the right thing to do is to actually have accept_sec_context() fill in the cred handle but skip storing the flags. For these reasons I think the first patch is probably right.