diff --git a/openssh-8.7p1-gssapi-auth.patch b/openssh-8.7p1-gssapi-auth.patch
new file mode 100644
index 0000000..6908cad
--- /dev/null
+++ b/openssh-8.7p1-gssapi-auth.patch
@@ -0,0 +1,20 @@
+diff --color -rup a/monitor.c b/monitor.c
+--- a/monitor.c	2022-07-11 15:11:28.146863144 +0200
++++ b/monitor.c	2022-07-11 15:15:35.726655877 +0200
+@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
+ 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
+ 			auth_log(ssh, authenticated, partial,
+ 			    auth_method, auth_submethod);
+-			if (!partial && !authenticated)
++			if (!partial && !authenticated) {
++#ifdef GSSAPI
++				/* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
++				 * We have to reenable it to try again for gssapi-keyex */
++				if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
++					monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
++#endif
+ 				authctxt->failures++;
++			}
+ 			if (authenticated || partial) {
+ 				auth2_update_session_info(authctxt,
+ 				    auth_method, auth_submethod);
diff --git a/openssh.spec b/openssh.spec
index 61967bc..7610156 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -236,6 +236,10 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch
 # 6c31ba10e97b6953c4f325f526f3e846dfea647a
 # 322964f8f2e9c321e77ebae1e4d2cd0ccc5c5a0b
 Patch1003: openssh-8.7p1-mem-leak.patch
+# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
+# upstream MR:
+# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
+Patch1004: openssh-8.7p1-gssapi-auth.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -428,6 +432,7 @@ popd
 %patch1001 -p1 -b .scp-clears-file
 %patch1002 -p1 -b .ssh-manpage
 %patch1003 -p1 -b .mem-leak
+%patch1004 -p1 -b .gssapi-auth
 
 %patch100 -p1 -b .coverity
 
@@ -715,6 +720,8 @@ test -f %{sysconfig_anaconda} && \
   Resolves: rhbz#2033372
 - Fix several memory leaks
   Related: rhbz#2068423
+- Fix gssapi authentication failures
+  Resolves: rhbz#2091023
 
 * Wed Jun 29 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-10
 - Set minimal value of RSA key length via configuration option