diff --git a/kdc/default_config.c b/kdc/default_config.c
index 8de65ee35..49d56c9e7 100644
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -100,6 +100,8 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->historical_anon_realm = FALSE;
     c->strict_nametypes = FALSE;
     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    c->enable_armored_pa_enc_timestamp = TRUE;
+    c->enable_unarmored_pa_enc_timestamp = TRUE;
     c->enable_pkinit = FALSE;
     c->pkinit_princ_in_cert = TRUE;
     c->pkinit_require_binding = TRUE;
@@ -251,6 +253,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				      c->kdc_warn_pwexpire,
 				      "kdc", "kdc_warn_pwexpire", NULL);
 
+    c->enable_armored_pa_enc_timestamp =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->enable_armored_pa_enc_timestamp,
+				     "kdc",
+				     "enable_armored_pa_enc_timestamp",
+				     NULL);
+
+    c->enable_unarmored_pa_enc_timestamp =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->enable_unarmored_pa_enc_timestamp,
+				     "kdc",
+				     "enable_unarmored_pa_enc_timestamp",
+				     NULL);
 
     c->enable_pkinit =
 	krb5_config_get_bool_default(context,
diff --git a/kdc/kdc.h b/kdc/kdc.h
index 694263cac..36440d8fb 100644
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -84,6 +84,9 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean strict_nametypes;
     enum krb5_kdc_trpolicy trpolicy;
 
+    krb5_boolean enable_armored_pa_enc_timestamp;
+    krb5_boolean enable_unarmored_pa_enc_timestamp;
+
     krb5_boolean enable_pkinit;
     krb5_boolean pkinit_princ_in_cert;
     const char *pkinit_kdc_identity;
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 926f6a927..2446d4897 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -726,7 +726,19 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     size_t len;
     Key *pa_key;
     char *str;
-	
+
+    if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp) {
+       ret = KRB5KDC_ERR_POLICY;
+       kdc_log(r->context, r->config, 0,
+               "Armored encrypted timestamp pre-authentication is disabled");
+       return ret;
+    } else if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp) {
+       ret = KRB5KDC_ERR_POLICY;
+       kdc_log(r->context, r->config, 0,
+               "Unarmored encrypted timestamp pre-authentication is disabled");
+       return ret;
+    }
+
     if (r->client->entry.flags.locked_out) {
        ret = KRB5KDC_ERR_CLIENT_REVOKED;
        kdc_log(r->context, r->config, 0,
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 9b2994bf4..b03e2aaf5 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -805,6 +805,17 @@ addresses in the tickets.
 .It Li allow-null-ticket-addresses = Va BOOL
 Allow address-less tickets.
 .\" XXX
+.It Li enable_armored_pa_enc_timestamp = Va BOOL
+Enable armored encrypted timestamp pre-authentication with key
+strengthening.
+RFC 6113 says not to use PA-ENC-TIMESTAMP in FAST armored tunnels
+as there is a newer replacement, PA-ENC-CHALLENGE, but for
+interoperability with earlier versions of Heimdal, this is
+enabled by default for now.
+.It Li enable_unarmored_pa_enc_timestamp = Va BOOL
+Enable unarmored encrypted timestamp pre-authentication.
+Enabled by default for now, but in a future release will be
+disabled.
 .It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
 .It Li synthetic_clients = Va BOOL