diff --git a/kdc/kdc-tester.c b/kdc/kdc-tester.c
index ba502bcd3..878d3b61b 100644
--- a/kdc/kdc-tester.c
+++ b/kdc/kdc-tester.c
@@ -79,9 +79,10 @@ send_to_kdc(krb5_context c, void *ptr, krb5_krbhst_info *hi, time_t timeout,
 static void
 eval_kinit(heim_dict_t o)
 {
-    heim_string_t user, password;
+    heim_string_t user, password, keytab;
     krb5_init_creds_context ctx;
     krb5_principal client;
+    krb5_keytab kt = NULL;
     krb5_error_code ret;
 
     if (ptop)
@@ -90,9 +91,11 @@ eval_kinit(heim_dict_t o)
     user = heim_dict_get_value(o, HSTR("client"));
     if (user == NULL)
 	krb5_errx(kdc_context, 1, "no client");
+
     password = heim_dict_get_value(o, HSTR("password"));
-    if (password == NULL)
-	krb5_errx(kdc_context, 1, "no password");
+    keytab = heim_dict_get_value(o, HSTR("keytab"));
+    if (password == NULL && keytab == NULL)
+	krb5_errx(kdc_context, 1, "no password nor keytab");
 
     ret = krb5_parse_name(kdc_context, heim_string_get_utf8(user), &client);
     if (ret)
@@ -102,11 +105,21 @@ eval_kinit(heim_dict_t o)
     if (ret)
 	krb5_err(kdc_context, 1, ret, "krb5_init_creds_init");
     
-    ret = krb5_init_creds_set_password(kdc_context, ctx, 
-				       heim_string_get_utf8(password));
-    if (ret)
-	krb5_err(kdc_context, 1, ret, "krb5_init_creds_set_password");
+    if (password) {
+	ret = krb5_init_creds_set_password(kdc_context, ctx, 
+					   heim_string_get_utf8(password));
+	if (ret)
+	    krb5_err(kdc_context, 1, ret, "krb5_init_creds_set_password");
+    }
+    if (keytab) {
+	ret = krb5_kt_resolve(kdc_context, heim_string_get_utf8(keytab), &kt);
+	if (ret)
+	    krb5_err(kdc_context, 1, ret, "krb5_kt_resolve");
 
+	ret = krb5_init_creds_set_keytab(kdc_context, ctx, kt);
+	if (ret)
+	    krb5_err(kdc_context, 1, ret, "krb5_init_creds_set_keytab");
+    }
 
     ret = krb5_init_creds_get(kdc_context, ctx);
     if (ret)
@@ -114,6 +127,8 @@ eval_kinit(heim_dict_t o)
 
     krb5_init_creds_free(kdc_context, ctx);
 
+    if (kt)
+	krb5_kt_close(kdc_context, kt);
 #if 0
     printf("kinit success %s\n", heim_string_get_utf8(user));
 #endif
diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am
index 860c52140..f39590a63 100644
--- a/tests/kdc/Makefile.am
+++ b/tests/kdc/Makefile.am
@@ -259,6 +259,8 @@ EXTRA_DIST = \
 	donotexists.txt \
 	heimdal.acl \
 	iprop-acl \
+	kdc-tester1.json \
+	kdc-tester2.json \
 	krb5-pkinit.conf.in \
 	krb5.conf.in \
 	krb5-canon.conf.in \
diff --git a/tests/kdc/check-tester.in b/tests/kdc/check-tester.in
index 5cdf3e4d2..89ebe807f 100644
--- a/tests/kdc/check-tester.in
+++ b/tests/kdc/check-tester.in
@@ -48,6 +48,9 @@ ${have_db} || exit 77
 
 R=TEST.H5L.SE
 
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+
 kadmin="${kadmin} -l -r $R"
 
 server=host/datan.test.h5l.se
@@ -68,11 +71,13 @@ ${kadmin} \
     ${R} || exit 1
 
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} ext -k ${keytab} foo@${R} || exit 1
 
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
-
+echo "password"
 ${kdc_tester} ${srcdir}/kdc-tester1.json || exit 1
 
+echo "keytab"
+${kdc_tester} ${srcdir}/kdc-tester2.json || exit 1
+
 
 exit $ec
diff --git a/tests/kdc/kdc-tester1.json b/tests/kdc/kdc-tester1.json
index c28fd3da1..f74532218 100644
--- a/tests/kdc/kdc-tester1.json
+++ b/tests/kdc/kdc-tester1.json
@@ -1,7 +1,7 @@
 [
 	{
 	"op" : "repeat",
-	"num" : 100,
+	"num" : 333,
 	"value" : {
 		"op" : "kinit",
 		"client" : "foo@TEST.H5L.SE",
diff --git a/tests/kdc/kdc-tester2.json b/tests/kdc/kdc-tester2.json
new file mode 100644
index 000000000..207ae372f
--- /dev/null
+++ b/tests/kdc/kdc-tester2.json
@@ -0,0 +1,12 @@
+[
+	{
+	"op" : "repeat",
+	"num" : 333,
+	"value" : {
+		"op" : "kinit",
+		"client" : "foo@TEST.H5L.SE",
+		"keytab" : "FILE:server.keytab"
+		}
+	}
+]
+