When constructing the preauth hint list, hint_list_next() discards preauth system entries which don't have PA_HARDWARE set if the client principal has the KRB5_KDB_REQUIRES_HW_AUTH bit set. A similar decision applies all the way back to the 1.0 release. The intent is not to offer preauth mechs like encrypted timestamp which won't satisfy the requirement for hardware preauth. We use static preauth system entries to add etype-info or etype-info2 entries to the hint list. These entries do not have the PA_HARDWARE flag set (unlike the entry for KRB5_PADATA_FX_FAST), so we do not include etype-info in the hint list for principals which require hardware auth. The practical upshot is that SAM-2 preauth probably won't work for principals which don't use the default salt.