diff --git a/kdc/default_config.c b/kdc/default_config.c
index a22e75f61..669df4ee7 100644
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -133,6 +133,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				     c->tgs_use_strongest_session_key,
 				     "kdc",
 				     "tgs-use-strongest-session-key", NULL);
+    c->use_strongest_server_key =
+	krb5_config_get_bool_default(context, NULL,
+				     c->use_strongest_server_key,
+				     "kdc",
+				     "use-strongest-server-key", NULL);
 
     c->check_ticket_addresses =
 	krb5_config_get_bool_default(context, NULL,
diff --git a/kdc/kdc.h b/kdc/kdc.h
index 497163521..9d52fd4c2 100644
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -62,6 +62,7 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean as_use_strongest_session_key;
     krb5_boolean preauth_use_strongest_session_key;
     krb5_boolean tgs_use_strongest_session_key;
+    krb5_boolean use_strongest_server_key;
 
     krb5_boolean check_ticket_addresses;
     krb5_boolean allow_null_ticket_addresses;
diff --git a/kdc/misc.c b/kdc/misc.c
index 458878504..fb67d5e6f 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -134,24 +134,35 @@ _kdc_get_preferred_key(krb5_context context,
 		       krb5_enctype *enctype,
 		       Key **key)
 {
-    const krb5_enctype *p;
     krb5_error_code ret;
     int i;
 
-    p = krb5_kerberos_enctypes(context);
+    if (config->use_strongest_server_key) {
+	const krb5_enctype *p = krb5_kerberos_enctypes(context);
 
-    for (i = 0; p[i] != ETYPE_NULL; i++) {
-	if (krb5_enctype_valid(context, p[i]) != 0)
-	    continue;
-	ret = hdb_enctype2key(context, &h->entry, p[i], key);
-	if (ret == 0) {
-	    *enctype = p[i];
-	    return 0;
+	for (i = 0; p[i] != ETYPE_NULL; i++) {
+	    if (krb5_enctype_valid(context, p[i]) != 0)
+		continue;
+	    ret = hdb_enctype2key(context, &h->entry, p[i], key);
+	    if (ret == 0) {
+		*enctype = p[i];
+		return 0;
+	    }
+	}
+    } else {
+	*key = NULL;
+
+	for (i = 0; i < h->entry.keys.len; i++) {
+	    if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
+		!= 0) {
+		*key = &h->entry.keys.val[i];
+		return 0;
+	    }
 	}
     }
 
     krb5_set_error_message(context, EINVAL,
 			   "No valid kerberos key found for %s", name);
-    return EINVAL;
+    return EINVAL; /* XXX */
 }
 
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 9c2908e09..17241b31a 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -418,6 +418,11 @@ pre-authentication). Defaults to TRUE.
 .It Li tgs-use-strongest-session-key = Va BOOL
 Like as-use-strongest-session-key, but applies to the session key
 enctype of tickets issued by the TGS. Defaults to TRUE.
+.It Li use-strongest-server-key = Va BOOL
+If TRUE then the KDC picks, for the ticket encrypted part's key, the
+first supported enctype from the target service principal's hdb entry's
+current keyset. Else the KDC picks the first supported enctype from the
+target service principal's hdb entry's current keyset. Defaults to TRUE.
 .It Li check-ticket-addresses = Va BOOL
 Verify the addresses in the tickets used in tgs requests.
 .\" XXX