You should call krb5_mk_rep after krb5_RD_REQ on the server side. Send the result to the client, which calls krb5_rd_rep to read the result and verify it. You do want to pass in the mutual flag into krb5_mk_req on the client.