dbentry_supports_enctype() ignores session_enctypes if it is empty due to this conditional: if (retval == 0 && etypes_str != NULL && *etypes_str != '\0') and also ignores it if it evaluates to an empty list due to this conditional: if (retval == 0 && etypes != NULL && etypes[0]) { The second behavior can be surprising because the enctype list may contain values which are filtered out due to allow_weak_crypto=false. Empty values and lists should probably be treated as empty lists, even if that results in the service principal not working.