Dear Kerberos developers, fetching a Kerberos TGT from a KDC which allows for a modern session key encryption (e.g. aes265) but a different TKT encryption only (e.g. 3DES), this is shown correctly with "klist -Afe", but in the graphical Kerberos Ticket Manager, the Session Key enctype is shown for both the Session Key and the Ticket enctype, i.e. I get: Session Key: aes265-cts-hmac-sha1-96 Ticket: aes265-cts-hmac-sha1-96 in the GUI, but: Etype (skey, tkt): aes265-cts-hmac-sha1-96, des3-cbc-sha1 for the same ticket in the same ticket cache in klist. I'll spare you screenshots (unless you request them) and point to the (likely) issue in the code (I don't have a Windows developer environment set up, so no guarantees that this is the error): This is how klist works (correctly): https://github.com/krb5/krb5/blob/90fedf8188fc47aa5a476a969af34671555df389/src/clients/klist/klist.c#L747-L749 It calls "etype_string" twice, in different statements. This is how leash/KrbListTickets works: https://github.com/krb5/krb5/blob/0fdc59ef5e538fdf0fd65fa190483e84289f66c1/src/windows/leash/KrbListTickets.cpp#L148-L150 Note that it calls etype_string twice in the same statement to format the arguments to printf. The problem lies in the fact that etype_string: https://github.com/krb5/krb5/blob/0fdc59ef5e538fdf0fd65fa190483e84289f66c1/src/windows/leash/KrbListTickets.cpp#L77 uses a static const char* buffer. Calling it twice within the same printf statement clobbers that static string, so a wrong formatted string results. Cheers, Oliver