diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 4174d6f49..b1398062d 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -912,6 +912,12 @@ tgs_make_reply(astgs_request_t r,
     et.flags.hw_authent  = tgt->flags.hw_authent;
     et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
 
+    /* See MS-KILE 3.3.5.1 */
+    if (!server->entry.flags.forwardable)
+	et.flags.forwardable = 0;
+    if (!server->entry.flags.proxiable)
+	et.flags.proxiable = 0;
+
     /*
      * For anonymous tickets, we should filter out positive authorization data
      * that could reveal the client's identity, and return a policy error for
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index 47181f926..192ee6fdf 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -460,6 +460,10 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 ${klist} -f | grep ${server} | grep FRA > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "Testing strip of forwardable when the server is disallowed in TGS-REQ"
+${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
+${klist} -f | grep sensitive | grep FRA > /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
 
 echo "Specific enctype"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword \