diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c
index 26492529f..5cbe4c05a 100644
--- a/lib/krb5/crypto-des3.c
+++ b/lib/krb5/crypto-des3.c
@@ -52,6 +52,59 @@ DES3_random_key(krb5_context context,
 	    DES_is_weak_key(&k[2]));
 }
 
+static krb5_error_code
+DES3_prf(krb5_context context,
+	 krb5_crypto crypto,
+	 const krb5_data *in,
+	 krb5_data *out)
+{
+    struct _krb5_checksum_type *ct = crypto->et->checksum;
+    krb5_error_code ret;
+    Checksum result;
+    krb5_keyblock *derived;
+
+    result.cksumtype = ct->type;
+    ret = krb5_data_alloc(&result.checksum, ct->checksumsize);
+    if (ret) {
+	krb5_set_error_message(context, ret, N_("malloc: out memory", ""));
+	return ret;
+    }
+
+    ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+    if (ret) {
+	krb5_data_free(&result.checksum);
+	return ret;
+    }
+
+    if (result.checksum.length < crypto->et->blocksize)
+	krb5_abortx(context, "internal prf error");
+
+    derived = NULL;
+    ret = krb5_derive_key(context, crypto->key.key,
+			  crypto->et->type, "prf", 3, &derived);
+    if (ret)
+	krb5_abortx(context, "krb5_derive_key");
+
+    ret = krb5_data_alloc(out, crypto->et->blocksize);
+    if (ret)
+	krb5_abortx(context, "malloc failed");
+
+    {
+	const EVP_CIPHER *c = (*crypto->et->keytype->evp)();
+	EVP_CIPHER_CTX ctx;
+
+	EVP_CIPHER_CTX_init(&ctx); /* ivec all zero */
+	EVP_CipherInit_ex(&ctx, c, NULL, derived->keyvalue.data, NULL, 1);
+	EVP_Cipher(&ctx, out->data, result.checksum.data,
+		   crypto->et->blocksize);
+	EVP_CIPHER_CTX_cleanup(&ctx);
+    }
+
+    krb5_data_free(&result.checksum);
+    krb5_free_keyblock(context, derived);
+
+    return ret;
+}
 
 #ifdef DES3_OLD_ENCTYPE
 static struct _krb5_key_type keytype_des3 = {
@@ -158,7 +211,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = {
     F_DERIVED,
     _krb5_evp_encrypt,
     0,
-    NULL
+    DES3_prf
 };
 
 #ifdef DES3_OLD_ENCTYPE
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 8015fea4a..549710c1e 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -1890,6 +1890,7 @@ _krb5_derive_key(krb5_context context,
     case KRB5_ENCTYPE_OLD_DES3_CBC_SHA1:
 	_krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
 	break;
+    case ETYPE_DES3_CBC_SHA1:
     case KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
     case KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
 	memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length);