diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
index 908f519..d298ba7 100644
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@@ -97,7 +97,7 @@ class CheckPasswordCase(TestCase):
             utils.LdapHashUserPassword.hash(
                 b"{CRYPT}",
                 self.password1,
-                "$6$UVVAQvrMyXMF3FF3",
+                b"$6$UVVAQvrMyXMF3FF3",
                 charset="utf8"
             )
         )
@@ -122,7 +122,7 @@ class CheckPasswordCase(TestCase):
             with self.assertRaises(utils.LdapHashUserPassword.BadScheme):
                 utils.LdapHashUserPassword.hash(scheme, self.password1)
         with self.assertRaises(utils.LdapHashUserPassword.BadSalt):
-            utils.LdapHashUserPassword.hash(b'{CRYPT}', self.password1, "$truc$toto")
+            utils.LdapHashUserPassword.hash(b'{CRYPT}', self.password1, b"$truc$toto")
 
         # then try to check hash with bad hashes
         with self.assertRaises(utils.LdapHashUserPassword.BadHash):
diff --git a/cas_server/utils.py b/cas_server/utils.py
index 747d9a3..060e9ab 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -85,7 +85,13 @@ def update_url(url, params):
     url_parts = list(urlparse(url))
     query = dict(parse_qsl(url_parts[4]))
     query.update(params)
-    url_parts[4] = urlencode(query)
+    # make the params order deterministic
+    query = list(query.items())
+    query.sort()
+    url_query = urlencode(query)
+    if not isinstance(url_query, bytes):
+        url_query = url_query.encode("utf-8")
+    url_parts[4] = url_query
     return urlunparse(url_parts).decode('utf-8')