>>>>> ""," == ", Machin@MIT EDU, Glenn D " via RT writes: ",> The solution is to have _kadm5_init_any() do what ",> gss_init_sec_context does in that, use the encryption types ",> that are in both the desired list and what is defined by ",> default_tgs_enctypes. No, it should intersect against default_tkt_enctypes since it is an initial request. Your default_tkt_enctypes is not a subset of default_tgs_enctypes, so things fail. I do believe that the current code does intersect against default_tkt_enctypes. You can argue that having both default_tgs_enctypes and default_tkt_enctypes is confusing and useless. We'd probably agree. But it's currently the documented behavior.