If -allow_tgs_req / DISALLOW_TGT_BASED is set on a service princ then I shouldn't be able to kinit with it, right? I'm able to get TGTs though with kinit and the keytab for this service, and then get service tickets with kvno; I need to update my KDC and see if this is still true, or mabye I'm misunderstanding how it works...? Thanks, Chris