Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.507 (Entity 5.507) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 463 This scenario can also occur if the request enctypes list and the client keys do not overlap, e.g.: make testrealm kadmin.local cpw -pw user -e aes256-cts user kadmin.local modprinc +preauth user in krb5.conf: [libdefaults] default_tkt_enctypes = aes128-cts kinit user We tolerate the lack of a client key in case we can use PKINIT or OTP, but when we can't offer one of those we offer the same meaningless 133/136 hint list as in the +hwauth case.