diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml
index d305855bb..c2b4f76bb 100644
--- a/.github/workflows/freebsd.yml
+++ b/.github/workflows/freebsd.yml
@@ -58,7 +58,8 @@ jobs:
             openh264 \
             alsa-lib \
             cairo \
-            ocl-icd
+            ocl-icd \
+            security/heimdal
 
         run: |
           export LD_LIBRARY_PATH=/usr/lib/clang/18/lib/freebsd
diff --git a/ci/cmake-preloads/config-freebsd.txt b/ci/cmake-preloads/config-freebsd.txt
index b16e81378..71d9f12ac 100644
--- a/ci/cmake-preloads/config-freebsd.txt
+++ b/ci/cmake-preloads/config-freebsd.txt
@@ -53,3 +53,4 @@ set(CHANNEL_RDPEAR_CLIENT ON CACHE BOOL "qa default")
 set(CHANNEL_GFXREDIR ON CACHE BOOL "qa default")
 set(CHANNEL_RDP2TCP ON CACHE BOOL "qa default")
 set(CHANNEL_SSHAGENT ON CACHE BOOL "qa default")
+set(KRB5_ROOT_FLAVOUR "Heimdal" CACHE STRING "qa default")
diff --git a/cmake/FindKRB5.cmake b/cmake/FindKRB5.cmake
index c7da561b5..72f2ddb64 100644
--- a/cmake/FindKRB5.cmake
+++ b/cmake/FindKRB5.cmake
@@ -19,6 +19,12 @@ include(CheckIncludeFile)
 include(CheckIncludeFiles)
 include(CheckTypeSize)
 
+set(KRB5_ROOT_CONFIG "${KRB5_ROOT_CONFIG}" CACHE STRING
+                                                 "Force kerberos implementation by setting full path to krb5-config"
+)
+set(KRB5_ROOT_FLAVOUR "${KRB5_ROOT_FLAVOUR}"
+    CACHE STRING "Force kerberos implementation by setting [mit|Heimdal]. Empty for default"
+)
 set(_KRB5_REQUIRED_VARS KRB5_FOUND KRB5_VERSION KRB5_FLAVOUR KRB5_INCLUDE_DIRS KRB5_LIBRARIES)
 
 macro(PROVIDES_KRB5)
diff --git a/libfreerdp/common/settings.c b/libfreerdp/common/settings.c
index 74dbf3e9d..70806fdac 100644
--- a/libfreerdp/common/settings.c
+++ b/libfreerdp/common/settings.c
@@ -897,7 +897,7 @@ BOOL freerdp_capability_buffer_resize(rdpSettings* settings, size_t count, BOOL
 		return TRUE;
 	}
 
-	const size_t oldsize = force ? 0 : settings->ReceivedCapabilitiesSize;
+	const size_t oldsize = settings->ReceivedCapabilitiesSize;
 	if (!resize_setting(settings, FreeRDP_ReceivedCapabilityDataSizes, oldsize, count,
 	                    sizeof(uint32_t)))
 		return FALSE;
diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c
index ceae4f9e7..1928bc0bc 100644
--- a/libfreerdp/core/settings.c
+++ b/libfreerdp/core/settings.c
@@ -1289,6 +1289,14 @@ static void freerdp_settings_free_internal(rdpSettings* settings)
 	freerdp_settings_free_keys(settings, TRUE);
 }
 
+static void freerdp_settings_free_internal_ensure_reset(rdpSettings* settings)
+{
+	settings->ServerLicenseProductIssuersCount = 0;
+	settings->ServerLicenseProductIssuers = NULL;
+
+	settings->ReceivedCapabilitiesSize = 0;
+}
+
 void freerdp_settings_free(rdpSettings* settings)
 {
 	if (!settings)
@@ -1511,15 +1519,13 @@ BOOL freerdp_settings_copy(rdpSettings* _settings, const rdpSettings* settings)
 
 	/* This is required to free all non string buffers */
 	freerdp_settings_free_internal(_settings);
+
 	/* This copies everything except allocated non string buffers. reset all allocated buffers to
 	 * NULL to fix issues during cleanup */
 	rc = freerdp_settings_clone_keys(_settings, settings);
-
-	_settings->ServerLicenseProductIssuersCount = 0;
-	_settings->ServerLicenseProductIssuers = NULL;
-
 	if (!rc)
 		goto out_fail;
+	freerdp_settings_free_internal_ensure_reset(_settings);
 
 	/* Begin copying */
 	if (!freerdp_settings_int_buffer_copy(_settings, settings))
diff --git a/libfreerdp/core/update.c b/libfreerdp/core/update.c
index afbd69111..890c67678 100644
--- a/libfreerdp/core/update.c
+++ b/libfreerdp/core/update.c
@@ -273,7 +273,7 @@ static BOOL update_write_bitmap_update(rdpUpdate* update, wStream* s,
 	if (!Stream_EnsureRemainingCapacity(s, 32))
 		return FALSE;
 
-	Stream_Write_UINT16(s, UPDATE_TYPE_BITMAP);   /* updateType */
+	Stream_Write_UINT16(s, UPDATE_TYPE_BITMAP); /* updateType */
 	Stream_Write_UINT16(s, WINPR_ASSERTING_INT_CAST(
 	                           uint16_t, bitmapUpdate->number)); /* numberRectangles (2 bytes) */
 
@@ -1471,6 +1471,8 @@ static BOOL update_send_frame_acknowledge(rdpContext* context, UINT32 frameId)
 
 	WINPR_ASSERT(rdp);
 	WINPR_ASSERT(rdp->settings);
+	WINPR_ASSERT(rdp->settings->ReceivedCapabilities);
+	WINPR_ASSERT(rdp->settings->ReceivedCapabilitiesSize > CAPSET_TYPE_FRAME_ACKNOWLEDGE);
 	if (rdp->settings->ReceivedCapabilities[CAPSET_TYPE_FRAME_ACKNOWLEDGE])
 	{
 		UINT16 sec_flags = 0;
@@ -1554,6 +1556,8 @@ static BOOL update_send_play_sound(rdpContext* context, const PLAY_SOUND_UPDATE*
 	WINPR_ASSERT(rdp);
 	WINPR_ASSERT(rdp->settings);
 	WINPR_ASSERT(play_sound);
+	WINPR_ASSERT(rdp->settings->ReceivedCapabilities);
+	WINPR_ASSERT(rdp->settings->ReceivedCapabilitiesSize > CAPSET_TYPE_SOUND);
 	if (!rdp->settings->ReceivedCapabilities[CAPSET_TYPE_SOUND])
 	{
 		return TRUE;
@@ -2826,7 +2830,7 @@ static BOOL update_send_window_icon(rdpContext* context, const WINDOW_ORDER_INFO
 	    s, WINPR_ASSERTING_INT_CAST(uint16_t, iconInfo->cbBitsMask)); /* CbBitsMask (2 bytes) */
 	Stream_Write_UINT16(
 	    s, WINPR_ASSERTING_INT_CAST(uint16_t, iconInfo->cbBitsColor)); /* CbBitsColor (2 bytes) */
-	Stream_Write(s, iconInfo->bitsMask, iconInfo->cbBitsMask); /* BitsMask (variable) */
+	Stream_Write(s, iconInfo->bitsMask, iconInfo->cbBitsMask);         /* BitsMask (variable) */
 
 	if (iconInfo->bpp <= 8)
 	{
diff --git a/winpr/libwinpr/sspi/Kerberos/kerberos.c b/winpr/libwinpr/sspi/Kerberos/kerberos.c
index a2310f6cb..2d6f9ffd2 100644
--- a/winpr/libwinpr/sspi/Kerberos/kerberos.c
+++ b/winpr/libwinpr/sspi/Kerberos/kerberos.c
@@ -1335,6 +1335,16 @@ static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, kr
 	if (rv)
 		return FALSE;
 
+#if defined(WITH_KRB5_HEIMDAL)
+	if (!target_princ->realm)
+	{
+		rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
+		if (rv)
+			goto out;
+
+		target_princ->realm = default_realm;
+	}
+#else
 	if (!target_princ->realm.length)
 	{
 		rv = krb_log_exec(krb5_get_default_realm, credentials->ctx, &default_realm);
@@ -1344,6 +1354,7 @@ static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, kr
 		target_princ->realm.data = default_realm;
 		target_princ->realm.length = (unsigned int)strlen(default_realm);
 	}
+#endif
 
 	/*
 	 * First try with the account service. We were requested with something like
@@ -1356,6 +1367,7 @@ static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, kr
 
 	ret = FALSE;
 
+#if defined(WITH_KRB5_MIT)
 	/*
 	 * if it's not working let's try with <host>$@<REALM> (note the dollar)
 	 */
@@ -1372,6 +1384,7 @@ static BOOL retrieveSomeTgt(KRB_CREDENTIALS* credentials, const char* target, kr
 		return FALSE;
 
 	ret = retrieveTgtForPrincipal(credentials, target_princ, creds);
+#endif
 
 out:
 	if (default_realm)