This scenario can also occur if the request enctypes list and the client keys do not overlap, e.g.: make testrealm kadmin.local cpw -pw user -e aes256-cts user kadmin.local modprinc +preauth user in krb5.conf: [libdefaults] default_tkt_enctypes = aes128-cts kinit user We tolerate the lack of a client key in case we can use PKINIT or OTP, but when we can't offer one of those we offer the same meaningless 133/136 hint list as in the +hwauth case.