[krbdev.mit.edu #1473] ticket forwarding broken when TGS and app service have different enctypes

[Sam Hartman]

>>>>> "Ken" == Ken Raeburn via RT <rt-comment at krbdev.mit.edu> writes:

    Ken> A heuristic added to the ticket-forwarding code to avoid
    Ken> problems forwarding tickets to hosts without DES3 support has
    Ken> backfired.  It requested a forwarded ticket with the enctype
    Ken> of the session key for talking to the service.  However, if
    Ken> the session key and preferred service key are, say, AES, but
    Ken> the TGS key is DES3 only, and we (inappropriately) infer the

How do you ever get such a key issued?  You should not issue an aes
session key ticket if the service does not have an aes key in the kdb
even for krbtgt.