diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c
index acf5b2380..41786fd0b 100644
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -321,7 +321,7 @@ static int nla_client_init(rdpNla* nla)
 #endif
 	nla->cbMaxToken = nla->pPackageInfo->cbMaxToken;
 	nla->packageName = nla->pPackageInfo->Name;
-	WLog_DBG(TAG, "%s %"PRIu32" : packageName=%s ; cbMaxToken=%d", __FUNCTION__, __LINE__,
+	WLog_DBG(TAG, "%s %"PRIu32" : packageName=%ls ; cbMaxToken=%d", __FUNCTION__, __LINE__,
 	         nla->packageName, nla->cbMaxToken);
 	nla->status = nla->table->AcquireCredentialsHandle(NULL, NLA_PKG_NAME,
 	              SECPKG_CRED_OUTBOUND, NULL, nla->identity, NULL, NULL, &nla->credentials,
@@ -1026,9 +1026,9 @@ SECURITY_STATUS nla_encrypt_public_key_echo(rdpNla* nla)
 	SecBufferDesc Message;
 	SECURITY_STATUS status;
 	size_t public_key_length;
-	const BOOL krb = (strncmp(nla->packageName, KERBEROS_SSP_NAME, sizeof(KERBEROS_SSP_NAME)) == 0);
-	const BOOL nego = (strncmp(nla->packageName, NEGO_SSP_NAME, sizeof(NEGO_SSP_NAME)) == 0);
-	const BOOL ntlm = (strncmp(nla->packageName,  NTLM_SSP_NAME, sizeof(NTLM_SSP_NAME)) == 0);
+	const BOOL krb = (_tcsncmp(nla->packageName, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0);
+	const BOOL nego = (_tcsncmp(nla->packageName, NEGO_SSP_NAME, ARRAYSIZE(NEGO_SSP_NAME)) == 0);
+	const BOOL ntlm = (_tcsncmp(nla->packageName,  NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0);
 	public_key_length = nla->PublicKey.cbBuffer;
 
 	if (!sspi_SecBufferAlloc(&nla->pubKeyAuth, public_key_length + nla->ContextSizes.cbSecurityTrailer))
@@ -1090,12 +1090,12 @@ SECURITY_STATUS nla_decrypt_public_key_echo(rdpNla* nla)
 	if (!nla)
 		goto fail;
 
-	krb = (strncmp(nla->packageName, KERBEROS_SSP_NAME, sizeof(KERBEROS_SSP_NAME)) == 0);
-	nego = (strncmp(nla->packageName, NEGO_SSP_NAME, sizeof(NEGO_SSP_NAME)) == 0);
-	ntlm = (strncmp(nla->packageName,  NTLM_SSP_NAME, sizeof(NTLM_SSP_NAME)) == 0);
+	krb = (_tcsncmp(nla->packageName, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0);
+	nego = (_tcsncmp(nla->packageName, NEGO_SSP_NAME, ARRAYSIZE(NEGO_SSP_NAME)) == 0);
+	ntlm = (_tcsncmp(nla->packageName,  NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0);
 	signature_length = nla->pubKeyAuth.cbBuffer - nla->PublicKey.cbBuffer;
 
-	if (signature_length < 0 || signature_length > nla->ContextSizes.cbSecurityTrailer)
+	if ((signature_length < 0) || (signature_length > nla->ContextSizes.cbSecurityTrailer))
 	{
 		WLog_ERR(TAG, "unexpected pubKeyAuth buffer size: %"PRIu32"", nla->pubKeyAuth.cbBuffer);
 		goto fail;
@@ -1441,9 +1441,9 @@ static SECURITY_STATUS nla_encrypt_ts_credentials(rdpNla* nla)
 	SecBuffer Buffers[2] = { { 0 } };
 	SecBufferDesc Message;
 	SECURITY_STATUS status;
-	const BOOL krb = (strncmp(nla->packageName, KERBEROS_SSP_NAME, sizeof(KERBEROS_SSP_NAME)) == 0);
-	const BOOL nego = (strncmp(nla->packageName, NEGO_SSP_NAME, sizeof(NEGO_SSP_NAME)) == 0);
-	const BOOL ntlm = (strncmp(nla->packageName,  NTLM_SSP_NAME, sizeof(NTLM_SSP_NAME)) == 0);
+	const BOOL krb = (_tcsncmp(nla->packageName, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0);
+	const BOOL nego = (_tcsncmp(nla->packageName, NEGO_SSP_NAME, ARRAYSIZE(NEGO_SSP_NAME)) == 0);
+	const BOOL ntlm = (_tcsncmp(nla->packageName,  NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0);
 
 	if (!nla_encode_ts_credentials(nla))
 		return SEC_E_INSUFFICIENT_MEMORY;
@@ -1497,9 +1497,9 @@ static SECURITY_STATUS nla_decrypt_ts_credentials(rdpNla* nla)
 	SecBuffer Buffers[2] = { { 0 } };
 	SecBufferDesc Message;
 	SECURITY_STATUS status;
-	const BOOL krb = (strncmp(nla->packageName, KERBEROS_SSP_NAME, sizeof(KERBEROS_SSP_NAME)) == 0);
-	const BOOL nego = (strncmp(nla->packageName, NEGO_SSP_NAME, sizeof(NEGO_SSP_NAME)) == 0);
-	const BOOL ntlm = (strncmp(nla->packageName,  NTLM_SSP_NAME, sizeof(NTLM_SSP_NAME)) == 0);
+	const BOOL krb = (_tcsncmp(nla->packageName, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0);
+	const BOOL nego = (_tcsncmp(nla->packageName, NEGO_SSP_NAME, ARRAYSIZE(NEGO_SSP_NAME)) == 0);
+	const BOOL ntlm = (_tcsncmp(nla->packageName,  NTLM_SSP_NAME, ARRAYSIZE(NTLM_SSP_NAME)) == 0);
 
 	if (nla->authInfo.cbBuffer < 1)
 	{
diff --git a/libfreerdp/core/nla.h b/libfreerdp/core/nla.h
index f01f51de1..60fc1366b 100644
--- a/libfreerdp/core/nla.h
+++ b/libfreerdp/core/nla.h
@@ -38,12 +38,12 @@ typedef struct rdp_nla rdpNla;
 
 enum _NLA_STATE
 {
-    NLA_STATE_INITIAL,
-    NLA_STATE_NEGO_TOKEN,
-    NLA_STATE_PUB_KEY_AUTH,
-    NLA_STATE_AUTH_INFO,
-    NLA_STATE_POST_NEGO,
-    NLA_STATE_FINAL
+	NLA_STATE_INITIAL,
+	NLA_STATE_NEGO_TOKEN,
+	NLA_STATE_PUB_KEY_AUTH,
+	NLA_STATE_AUTH_INFO,
+	NLA_STATE_POST_NEGO,
+	NLA_STATE_FINAL
 };
 typedef enum _NLA_STATE NLA_STATE;
 
@@ -60,7 +60,11 @@ struct rdp_nla
 	rdpSettings* settings;
 	rdpTransport* transport;
 	UINT32 cbMaxToken;
+#if defined(UNICODE)
+	SEC_WCHAR* packageName;
+#else
 	SEC_CHAR* packageName;
+#endif
 	UINT32 version;
 	UINT32 errorCode;
 	ULONG fContextReq;
diff --git a/winpr/include/winpr/sspi.h b/winpr/include/winpr/sspi.h
index f7695df87..7667f0b19 100644
--- a/winpr/include/winpr/sspi.h
+++ b/winpr/include/winpr/sspi.h
@@ -1135,8 +1135,8 @@ WINPR_API void sspi_SecBufferFree(PSecBuffer SecBuffer);
 WINPR_API int sspi_SetAuthIdentity(SEC_WINNT_AUTH_IDENTITY* identity, const char* user,
                                    const char* domain, const char* password);
 WINPR_API int sspi_SetAuthIdentityWithUnicodePassword(SEC_WINNT_AUTH_IDENTITY* identity,
-                                                      const char *user, const char *domain,
-                                                      LPWSTR password, ULONG passwordLength);
+        const char* user, const char* domain,
+        LPWSTR password, ULONG passwordLength);
 WINPR_API int sspi_CopyAuthIdentity(SEC_WINNT_AUTH_IDENTITY* identity,
                                     SEC_WINNT_AUTH_IDENTITY* srcIdentity);
 
diff --git a/winpr/include/winpr/tchar.h b/winpr/include/winpr/tchar.h
index f3525bc66..2129c71ce 100644
--- a/winpr/include/winpr/tchar.h
+++ b/winpr/include/winpr/tchar.h
@@ -47,6 +47,7 @@ typedef CHAR TCHAR;
 #define _tcsrchr	wcsrchr
 #define _tcsstr		wcsstr
 #define _stprintf_s	swprintf_s
+#define _tcsnccmp	wcsncmp
 #else
 #define _tprintf	printf
 #define _tcslen		strlen
@@ -59,6 +60,7 @@ typedef CHAR TCHAR;
 #define _tcsrchr	strrchr
 #define _tcsstr		strstr
 #define _stprintf_s	sprintf_s
+#define _tcsnccmp	strncmp
 #endif
 
 #endif
diff --git a/winpr/libwinpr/sspi/Kerberos/kerberos.c b/winpr/libwinpr/sspi/Kerberos/kerberos.c
index 93f19375f..f955590db 100644
--- a/winpr/libwinpr/sspi/Kerberos/kerberos.c
+++ b/winpr/libwinpr/sspi/Kerberos/kerberos.c
@@ -456,8 +456,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(PCredHandle
 	SSPI_CREDENTIALS* credentials;
 	PSecBuffer input_buffer = NULL;
 	PSecBuffer output_buffer = NULL;
-	sspi_gss_buffer_desc input_tok;
-	sspi_gss_buffer_desc output_tok;
+	sspi_gss_buffer_desc input_tok = { 0 };
+	sspi_gss_buffer_desc output_tok = { 0 };
 	sspi_gss_OID actual_mech;
 	sspi_gss_OID desired_mech;
 	UINT32 actual_services;
diff --git a/winpr/libwinpr/sspi/Negotiate/negotiate.c b/winpr/libwinpr/sspi/Negotiate/negotiate.c
index fa2111285..18e42c8b1 100644
--- a/winpr/libwinpr/sspi/Negotiate/negotiate.c
+++ b/winpr/libwinpr/sspi/Negotiate/negotiate.c
@@ -24,6 +24,7 @@
 
 #include <winpr/crt.h>
 #include <winpr/sspi.h>
+#include <winpr/tchar.h>
 
 #include "negotiate.h"
 
@@ -72,9 +73,9 @@ const SecPkgInfoW NEGOTIATE_SecPkgInfoW =
 	NEGOTIATE_SecPkgInfoW_Comment /* Comment */
 };
 
-static void negotiate_SetSubPackage(NEGOTIATE_CONTEXT* context, const char* name)
+static void negotiate_SetSubPackage(NEGOTIATE_CONTEXT* context, const TCHAR* name)
 {
-	if (strncmp(name, KERBEROS_SSP_NAME, sizeof(KERBEROS_SSP_NAME)) == 0)
+	if (_tcsnccmp(name, KERBEROS_SSP_NAME, ARRAYSIZE(KERBEROS_SSP_NAME)) == 0)
 	{
 		context->sspiA = (SecurityFunctionTableA*) &KERBEROS_SecurityFunctionTableA;
 		context->sspiW = (SecurityFunctionTableW*) &KERBEROS_SecurityFunctionTableW;
@@ -155,7 +156,7 @@ static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextW(PCredHandl
 		if (!pInput)
 		{
 			context->sspiA->DeleteSecurityContext(&(context->SubContext));
-			negotiate_SetSubPackage(context, (const char*) NTLM_SSP_NAME);
+			negotiate_SetSubPackage(context, NTLM_SSP_NAME);
 		}
 
 		status = context->sspiW->InitializeSecurityContextW(phCredential, &(context->SubContext),
@@ -213,7 +214,7 @@ static SECURITY_STATUS SEC_ENTRY negotiate_InitializeSecurityContextA(PCredHandl
 		if (!pInput)
 		{
 			context->sspiA->DeleteSecurityContext(&(context->SubContext));
-			negotiate_SetSubPackage(context, (const char*) NTLM_SSP_NAME);
+			negotiate_SetSubPackage(context, NTLM_SSP_NAME);
 		}
 
 		status = context->sspiA->InitializeSecurityContextA(phCredential, &(context->SubContext),
@@ -244,8 +245,7 @@ static SECURITY_STATUS SEC_ENTRY negotiate_AcceptSecurityContext(PCredHandle phC
 		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) NEGO_SSP_NAME);
 	}
 
-	negotiate_SetSubPackage(context,
-	                        (const char*) NTLM_SSP_NAME); /* server-side Kerberos not yet implemented */
+	negotiate_SetSubPackage(context, NTLM_SSP_NAME); /* server-side Kerberos not yet implemented */
 	status = context->sspiA->AcceptSecurityContext(phCredential, &(context->SubContext),
 	         pInput, fContextReq, TargetDataRep, &(context->SubContext),
 	         pOutput, pfContextAttr, ptsTimeStamp);