diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index fe52d113d..e4b7c87fd 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2181,10 +2181,12 @@ server_lookup:
 
 	    /*
 	     * If the service isn't trusted for authentication to
-	     * delegation, remove the forward flag.
+	     * delegation or if the impersonate client is disallowed
+	     * forwardable, remove the forwardable flag.
 	     */
 
-	    if (client->entry.flags.trusted_for_delegation) {
+	    if (client->entry.flags.trusted_for_delegation &&
+		s4u2self_impersonated_client->entry.flags.forwardable) {
 		str = "[forwardable]";
 	    } else {
 		b->kdc_options.forwardable = 0;
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index 374d6f004..6874bf3d7 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -217,6 +217,8 @@ ${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
 ${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
 ${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
 ${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
+
+${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
 ${kadmin} add -p foo --use-defaults ${ps} || exit 1
 ${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
 ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
@@ -809,6 +811,15 @@ echo "test impersonate unknown client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "test delegate sensitive client"; > messages.log
+${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} \
+	--out-cache=${o2cache} \
+	--delegation-credential-cache=${ocache} \
+	${server}@${R} && \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test constrained delegation"; > messages.log
 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }