diff --git a/kdc/fast.c b/kdc/fast.c
index 238ac8dd5..aacd7b743 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -53,7 +53,7 @@ get_fastuser_crypto(astgs_request_t r, krb5_enctype enctype,
 	goto out;
 
     ret = _kdc_db_fetch(r->context, r->config, fast_princ,
-			HDB_F_GET_CLIENT, NULL, NULL, &fast_user);
+			HDB_F_GET_FAST_COOKIE, NULL, NULL, &fast_user);
     krb5_free_principal(r->context, fast_princ);
     if (ret)
 	goto out;
diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h
index bc2a3bdc5..808c4582a 100644
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -71,6 +71,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_PRECHECK		16384	/* check that the operation would succeed */
 #define HDB_F_DELAY_NEW_KEYS	32768	/* apply [hdb] new_service_key_delay */
 #define HDB_F_SYNTHETIC_OK	65536	/* synthetic principal for PKINIT OK */
+#define HDB_F_GET_FAST_COOKIE  131072	/* fetch the FX-COOKIE key (not a normal principal) */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1