diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 1f72638..f216ff0 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -427,6 +427,13 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
 #endif
 
+   if (authdat->checksum == NULL) {
+      /* missing checksum counts as "inappropriate type" */
+      code = KRB5KRB_AP_ERR_INAPP_CKSUM;
+      major_status = GSS_S_FAILURE;
+      goto fail;
+   }
+
    {
        /* gss krb5 v1 */