If krb5_get_creds_from_kdc_opt() gets the final service ticket during referrals processing, it does so with use_conf_ktypes = 1. This may be undesirable, as the application may have requested to override the config file enctypes. The problem is that the referrals code should set use_conf_ktypes = 1 when getting TGTs. There may need to be an explicit check to see if the returned service ticket contains enctypes not requested by the application, and if so, to repeat the request with use_conf_ktypes = 0.