Windows 7 clients apparently offer the 1024-bit Oakley MODP group, and might have some trouble with Diffie-Hellman parameter counterproposals by the KDC. Allowing dh_min_bits to be 1024 (but not by default) should allow these clients to do PKINIT successfully (if combined with the "missing q parameter" interop workaround). Arguably, 1024 bits is too weak for modern usage, but SP800-57 says it's equivalent to 80 bits of security, and we still allow administrators to configure single-DES, which is weaker. We should still investigate the underlying interop problem, though.