When constructing the preauth hint list, hint_list_next() discards 
preauth system entries which don't have PA_HARDWARE set if the client 
principal has the KRB5_KDB_REQUIRES_HW_AUTH bit set.  A similar 
decision applies all the way back to the 1.0 release.  The intent is 
not to offer preauth mechs like encrypted timestamp which won't satisfy 
the requirement for hardware preauth.

We use static preauth system entries to add etype-info or etype-info2 
entries to the hint list.  These entries do not have the PA_HARDWARE 
flag set (unlike the entry for KRB5_PADATA_FX_FAST), so we do not 
include etype-info in the hint list for principals which require 
hardware auth.  The practical upshot is that SAM-2 preauth probably 
won't work for principals which don't use the default salt.