Renewed tickets can apparently also become unusable across a TGT rekey with a different first enctype, due to this bug. I believe the scenario is identical to the forwarding case. http://mailman.mit.edu/pipermail/kerberos/2016-December/021536.html