In a common PKINIT scenario, the KDC method data offers both RFC 4556 
PKINIT and draft 9 PKINIT padata types.  We try the PKINIT module on 
both types, and typically they either both succeed or both fail.

However, if there is a PKCS11 token in the mix, the user could trigger 
a failure with the RFC 4556 PKINIT code path by entering the wrong 
PIN, and then a success with the draft 9 code path by entering the 
right PIN.  This scenario results in downgrading to draft 9 when the 
KDC supports RFC 4556.

A conservative solution is to use request context state to prevent the 
draft9 code from operating if the RFC 4556 code has already made an 
attempt.  A more aggressive solution is to remove the draft9 code 
(#8543).

http://mailman.mit.edu/pipermail/kerberos/2017-February/021585.html