Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 1064 This change can cause interoperability problems with clients using JDK 1.6.0_24 due to a bug which is fixed in 1.7 and 1.6.0_25: https://bugs.openjdk.java.net/browse/JDK-6932525 The bug is that, in its second pre-authenticated request, the client narrows its etypes field to the enctypes present in the ETYPE- INFO/ETYPE-INFO2 pa-data of the PREAUTH_REQUIRED error, unnecessarily limiting the set of negotiable session etypes. Here is an example of the problem cropping up: http://mailman.mit.edu/pipermail/krbdev/2015-December/012499.html In this example, the problem occurs because des-cbc-md5 is negotiated for preauth but normally cannot be used as the session enctype (due to an old hardcoded policy stemming from an ancient interop issue). The problem could also occur without single-DES if the server principal has a restricted set of enctypes. I don't think we need to revert our KDC behavior; the Java client bug can also manifest with certain AD server configurations. I'm just noting it here to make it easier to find in the future.