The session_enctypes string attribute, added in 1.11, uses the same 
syntax for enctype lists as the three profile variables 
(permitted_enctypes, default_tkt_enctypes, default_tgs_enctypes).  But 
unlike those variables, it evaluates DEFAULT to an empty list.

There are two reasonable options for fixing this: evaluate DEFAULT to 
the same hardcoded default list as is used for the three profile 
variables, or evaluate it to the value of permitted_enctypes (which the 
KDC already uses to filter key data in DB entries).