diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index 4bdfa885..eb11efc8 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -122,8 +122,8 @@ def _get_usertenant(name, tenant=False):
     if not isinstance(tenant, bool):
         # if not boolean, it must be explicit tenant
         user = name
-    elif '/' in name:  # tenant scoped name
-        tenant, user = name.split('/', 1)
+    elif b'/' in name:  # tenant scoped name
+        tenant, user = name.split(b'/', 1)
     elif configmanager.is_tenant(name):
         # the account is the implicit tenant owner account
         user = name
@@ -288,4 +288,4 @@ def _do_pbkdf(passphrase, salt):
     # compute.  However, we do want to wait for result, so we have
     # one of the exceedingly rare sort of circumstances where 'apply'
     # actually makes sense
-    return authworkers.apply(_apply_pbkdf, [passphrase, salt])
\ No newline at end of file
+    return authworkers.apply(_apply_pbkdf, [passphrase, salt])
diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py
index bcb81a1d..a03ea80f 100644
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -80,7 +80,7 @@ def group_creation_resources():
     yield confluent.messages.ListAttributes(kv={'nodes': []},
                                             desc='Nodes to add to the group'
                                             ).html() + '<br>\n'
-    for attr in sorted(attribs.node.iterkeys()):
+    for attr in sorted(attribs.node):
         if attr == 'groups':
             continue
         if attr.startswith("secret."):
@@ -101,7 +101,7 @@ def group_creation_resources():
 def node_creation_resources():
     yield confluent.messages.Attributes(
         kv={'name': None}, desc="Name of the node").html() + '<br>'
-    for attr in sorted(attribs.node.iterkeys()):
+    for attr in sorted(attribs.node):
         if attr.startswith("secret."):
             yield confluent.messages.CryptedAttributes(
                 kv={attr: None},
@@ -132,7 +132,7 @@ def user_creation_resources():
             'description': (''),
         },
     }
-    for attr in sorted(credential.iterkeys()):
+    for attr in sorted(credential):
         if attr == "password":
             yield confluent.messages.CryptedAttributes(
                 kv={attr: None},
@@ -182,7 +182,7 @@ def _get_query_dict(env, reqbody, reqtype):
     if reqbody is not None:
         if "application/x-www-form-urlencoded" in reqtype:
             pbody = urlparse.parse_qs(reqbody, True)
-            for ky in pbody.iterkeys():
+            for ky in pbody:
                 if len(pbody[ky]) > 1:  # e.g. REST explorer
                     na = [i for i in pbody[ky] if i != '']
                     qdict[ky] = na
@@ -190,7 +190,7 @@ def _get_query_dict(env, reqbody, reqtype):
                     qdict[ky] = pbody[ky][0]
         elif 'application/json' in reqtype:
             pbody = json.loads(reqbody)
-            for key in pbody.iterkeys():
+            for key in pbody:
                 qdict[key] = pbody[key]
     if 'restexplorerhonorkey' in qdict:
         nqdict = {}
@@ -311,7 +311,7 @@ def _authorize_request(env, operation):
                 return {'code': 401}
             return ('logout',)
         name, passphrase = base64.b64decode(
-            env['HTTP_AUTHORIZATION'].replace('Basic ', '')).split(':', 1)
+            env['HTTP_AUTHORIZATION'].replace('Basic ', '')).split(b':', 1)
         authdata = auth.check_user_passphrase(name, passphrase, operation=operation, element=element)
         if authdata is False:
             return {'code': 403}
@@ -325,14 +325,14 @@ def _authorize_request(env, operation):
                                 'inflight': set([])}
         if 'HTTP_CONFLUENTAUTHTOKEN' in env:
             httpsessions[sessid]['csrftoken'] = util.randomstring(32)
-        cookie['confluentsessionid'] = sessid
+        cookie['confluentsessionid'] = util.stringify(sessid)
         cookie['confluentsessionid']['secure'] = 1
         cookie['confluentsessionid']['httponly'] = 1
         cookie['confluentsessionid']['path'] = '/'
     skiplog = _should_skip_authlog(env)
     if authdata:
         auditmsg = {
-            'user': name,
+            'user': util.stringify(name),
             'operation': operation,
             'target': env['PATH_INFO'],
         }
@@ -344,7 +344,7 @@ def _authorize_request(env, operation):
         if authdata[3] is not None:
             auditmsg['tenant'] = authdata[3]
             authinfo['tenant'] = authdata[3]
-        auditmsg['user'] = authdata[2]
+        auditmsg['user'] = util.stringify(authdata[2])
         if sessid is not None:
             authinfo['sessionid'] = sessid
         if not skiplog:
@@ -632,6 +632,7 @@ def resourcehandler_backend(env, start_response):
             sessinfo = {'username': authorized['username']}
             if 'authtoken' in authorized:
                 sessinfo['authtoken'] = authorized['authtoken']
+            tlvdata.unicode_dictvalues(sessinfo)
             yield json.dumps(sessinfo)
             return
         resource = '.' + url[url.rindex('/'):]
@@ -737,7 +738,7 @@ def _assemble_json(responses, resource=None, url=None, extension=None):
     for rsp in responses:
         if isinstance(rsp, confluent.messages.LinkRelation):
             haldata = rsp.raw()
-            for hk in haldata.iterkeys():
+            for hk in haldata:
                 if 'href' in haldata[hk]:
                     if isinstance(haldata[hk]['href'], int):
                         haldata[hk]['href'] = str(haldata[hk]['href'])
@@ -753,7 +754,7 @@ def _assemble_json(responses, resource=None, url=None, extension=None):
                     links[hk] = haldata[hk]
         else:
             rsp = rsp.raw()
-            for dk in rsp.iterkeys():
+            for dk in rsp:
                 if dk in rspdata:
                     if isinstance(rspdata[dk], list):
                         if isinstance(rsp[dk], list):
@@ -772,8 +773,8 @@ def _assemble_json(responses, resource=None, url=None, extension=None):
                         rspdata[dk] = rsp[dk]
     rspdata["_links"] = links
     tlvdata.unicode_dictvalues(rspdata)
-    yield json.dumps(
-        rspdata, sort_keys=True, indent=4, ensure_ascii=False).encode('utf-8')
+    yield util.stringify(json.dumps(
+        rspdata, sort_keys=True, indent=4, ensure_ascii=False).encode('utf-8'))
 
 
 def serve(bind_host, bind_port):
diff --git a/confluent_server/confluent/messages.py b/confluent_server/confluent/messages.py
index 07718a3d..32eee244 100644
--- a/confluent_server/confluent/messages.py
+++ b/confluent_server/confluent/messages.py
@@ -126,14 +126,14 @@ class ConfluentMessage(object):
             return self._generic_html_value(self.kvpairs)
         if not self.stripped:
             htmlout = ''
-            for node in self.kvpairs.iterkeys():
+            for node in self.kvpairs:
                 htmlout += '{0}:{1}\n'.format(
                     node, self._generic_html_value(self.kvpairs[node]))
             return htmlout
 
     def _generic_html_value(self, pairs):
         snippet = ""
-        for key in pairs.iterkeys():
+        for key in pairs:
             val = pairs[key]
             value = self.defaultvalue
             if isinstance(val, dict) and 'type' in val:
@@ -326,14 +326,14 @@ class ConfluentChoiceMessage(ConfluentMessage):
             return self._create_option(self.kvpairs)
         else:
             htmlout = ''
-            for node in self.kvpairs.iterkeys():
+            for node in self.kvpairs:
                 htmlout += '{0}:{1}\n'.format(
                     node, self._create_option(self.kvpairs[node]))
             return htmlout
 
     def _create_option(self, pairdata):
         snippet = ''
-        for key in pairdata.iterkeys():
+        for key in pairdata:
             val = pairdata[key]
             snippet += key + ':<select name="%s">' % key
             valid_values = self.valid_values
diff --git a/confluent_server/confluent/userutil.py b/confluent_server/confluent/userutil.py
index a171758d..6d7019fc 100644
--- a/confluent_server/confluent/userutil.py
+++ b/confluent_server/confluent/userutil.py
@@ -1,5 +1,6 @@
 from ctypes import *
 from ctypes.util import find_library
+import confluent.util as util
 import grp
 import pwd
 import os
@@ -29,6 +30,7 @@ def getgrouplist(name, gid, ng=32):
 
 
 def grouplist(username):
+    username = util.stringify(username)
     pent = pwd.getpwnam(username)
     try:
         groups = getgrouplist(pent.pw_name, pent.pw_gid)
diff --git a/confluent_server/confluent/util.py b/confluent_server/confluent/util.py
index b347c788..5cfafa3e 100644
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@@ -75,11 +75,11 @@ def randomstring(length=20):
 
     :param length: The number of characters to produce, defaults to 20
     """
-    chunksize = length / 4
+    chunksize = length // 4
     if length % 4 > 0:
         chunksize += 1
     strval = base64.urlsafe_b64encode(os.urandom(chunksize * 3))
-    return strval[0:length-1]
+    return stringify(strval[0:length-1])
 
 
 def securerandomnumber(low=0, high=4294967295):