diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 433cef0b9..e90a8ba8f 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1076,13 +1076,6 @@ _kdc_as_rep(krb5_context context,
     if(ret)
 	goto out;
 
-    ret = _kdc_check_flags(context, config,
-			   client, client_name,
-			   server, server_name,
-			   TRUE);
-    if(ret)
-	goto out;
-
     memset(&et, 0, sizeof(et));
     memset(&ek, 0, sizeof(ek));
 
@@ -1365,6 +1358,19 @@ _kdc_as_rep(krb5_context context,
 	goto out;
     }
 
+    /*
+     * Verify flags after the user been required to prove its identity
+     * with in a preauth mech.
+     */
+
+    ret = _kdc_check_flags(context, config,
+			   client, client_name,
+			   server, server_name,
+			   TRUE);
+    if(ret)
+	goto out;
+
+
     /*
      * Find the client key (for preauth ENC-TS verification and reply
      * encryption).  Then the best encryption type for the KDC and