diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 56553a863..2d68770f0 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -84,6 +84,24 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
     return NULL;
 }
 
+/*
+ * This is a hack to allow predefined weak services, like afs to
+ * still use weak types
+ */
+
+krb5_boolean
+_kdc_is_weak_expection(krb5_principal principal, krb5_enctype etype)
+{
+    if (principal->name.name_string.len > 0 &&
+	strcmp(principal->name.name_string.val[0], "afs") == 0 &&
+	(etype == ETYPE_DES_CBC_CRC
+	 || etype == ETYPE_DES_CBC_MD4
+	 || etype == ETYPE_DES_CBC_MD5))
+	return TRUE;
+    return FALSE;
+}
+
+
 /*
  * Detect if `key' is the using the the precomputed `default_salt'.
  */
@@ -120,7 +138,8 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
     for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;
 
-	if (krb5_enctype_valid(context, etypes[i]) != 0)
+	if (krb5_enctype_valid(context, etypes[i]) != 0 &&
+	    !_kdc_is_weak_expection(princ->entry.principal, etypes[i]))
 	    continue;
 
 	while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {