We are seeing an issue with Netapp Ontap 9.3 server's Session Setup Response when using Kerberos Authentication, in the AP-REP response token, it is sending a duplicate SPNEGO Response token in the mechListMIC field instead of sending the MIC signature. Please refer the left side pane of the attached image for the buggy packet Vs right side for the correct one.
As a result, clients trying to parse and do MIC-verification will fail it as a defective token.
A similar issue was also seen with Windows 2000 Server.
The heimdal gssapi has provided a way to work around (and skip MIC Verification) by safely omiting this buggy spnego token, but the server has to send a OID flag "BUGGY SPNEGO" for clients to safe-omit this mic-verification.