SSPI client requires less iterations than GSSAPI server

I'm using nsspi to call SSPI APIs from a C# application for the client side. I'm using cyrus sasl with a MIT Kerberos GSSAPI implementation on the server side.

The two protocols seem to talk to each other but the server seems to require more challenges to the client than the client is willing to perform.

Here's a client debug log:

- Creating client context
- CONTINUE_NEEDED after calling InitializeSecurityContext, sending clientToken to the server
- received new server challenge
- OK after calling InitializeSecurityContext, out clientToken is null.
- no data to send to the server, sending NULL data
- received new server challenge
- NSspi.SSPIException: Failed to invoke InitializeSecurityContext for a client. Error Code = '0x80090301' - "The handle provided to the API was invalid.".

here's a server debug log:

- received client packet
- SASL start with GSSAPI
- GSSAPI server step 1
- received CONTINUE
- sending challenge to client
- received client packet with NULL data
- GSSAPI server step 2
- sending challenge to client
- client ended unexpectedly

The code is rather lengthy so I cannot paste it here entirely. The issue seems to be in the number of authentication rounds involved: the client is satisfied after just one round, the server seems to require more rounds but the client has no data to pass to it.

I'm using the same flags as the nsspi client demo for context creation.

Does anyone have an idea why this could be happening?