diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 983c9dd4a..903aaaa91 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -988,7 +988,7 @@ tgs_make_reply(krb5_context context,
        etype list, even if we don't want a session key with
        DES3? */
     ret = _kdc_encode_reply(context, config,
-			    &rep, &et, &ek, et.key.keytype,
+			    &rep, &et, &ek, serverkey->keytype,
 			    kvno,
 			    serverkey, 0, replykey, rk_is_subkey,
 			    e_text, reply);
@@ -1699,13 +1699,22 @@ server_lookup:
 	} else {
 	    Key *skey;
 
-	    ret = _kdc_get_preferred_key(context, config, server, spn,
-					 &etype, &skey);
+	    ret = _kdc_find_etype(context,
+				  config->tgs_use_strongest_session_key, FALSE,
+				  server, b->etype.val, b->etype.len, &etype,
+				  NULL);
 	    if(ret) {
 		kdc_log(context, config, 0,
 			"Server (%s) has no support for etypes", spn);
 		goto out;
 	    }
+	    ret = _kdc_get_preferred_key(context, config, server, spn,
+					 NULL, &skey);
+	    if(ret) {
+		kdc_log(context, config, 0,
+			"Server (%s) has no supported etypes", spn);
+		goto out;
+	    }
 	    ekey = &skey->key;
 	    kvno = server->entry.kvno;
 	}