Based on feedback, we decided to go with disabling allow_weak_crypto instead of removing DES from default_tkt_enctypes. (However, as originally planned, I did add code to check that AS replies are encrypted in one of the requested enctypes.)