Jeremy, with
9a5d5cc1db0ee60486f932e34cd7961b90c70a56 you alter the in negotiate flags (which are a pointer to the out negotiate flags assigned in the generated netlogon server code). So, while you wanted to just set the *out* negflags, you did in fact reset the *in* negflags, effectively eliminating the NETLOGON_NEG_STRONG_KEYS bit (formerly known as NETLOGON_NEG_128BIT) which then caused creds_server_init() to generate 64bit creds instead of 128bit, causing the whole chain to break. *Please* check.
Guenther