diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 4511b70..3adf2d9 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -648,7 +648,7 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 	if (pSMBr->EncryptionKeyLength == CIFS_CRYPTO_KEY_SIZE) {
 		memcpy(server->cryptKey, pSMBr->u.EncryptionKey,
 		       CIFS_CRYPTO_KEY_SIZE);
-	} else if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC)
+	} else if ((server->capabilities & CAP_EXTENDED_SECURITY)
 			&& (pSMBr->EncryptionKeyLength == 0)) {
 		/* decode security blob */
 	} else if (server->secMode & SECMODE_PW_ENCRYPT) {
@@ -658,8 +658,7 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 
 	/* BB might be helpful to save off the domain of server here */
 
-	if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) &&
-		(server->capabilities & CAP_EXTENDED_SECURITY)) {
+	if (server->capabilities & CAP_EXTENDED_SECURITY) {
 		count = pSMBr->ByteCount;
 		if (count < 16) {
 			rc = -EIO;
@@ -692,8 +691,7 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
 				rc = -EINVAL;
 			}
 		}
-	} else
-		server->capabilities &= ~CAP_EXTENDED_SECURITY;
+	}
 
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
 signing_check: