diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 81ebee1a2..91053ec60 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1165,34 +1165,6 @@ _kdc_encode_reply(krb5_context context,
     return 0;
 }
 
-/*
- * Return 1 if the client have only older enctypes, this is for
- * determining if the server should send ETYPE_INFO2 or not.
- */
-
-static int
-older_enctype(krb5_enctype enctype)
-{
-    switch (enctype) {
-    case ETYPE_DES_CBC_CRC:
-    case ETYPE_DES_CBC_MD4:
-    case ETYPE_DES_CBC_MD5:
-    case ETYPE_DES3_CBC_SHA1:
-    case ETYPE_ARCFOUR_HMAC_MD5:
-    case ETYPE_ARCFOUR_HMAC_MD5_56:
-    /*
-     * The following three is "old" windows enctypes and is needed for
-     * windows 2000 hosts.
-     */
-    case ETYPE_ARCFOUR_MD4:
-    case ETYPE_ARCFOUR_HMAC_OLD:
-    case ETYPE_ARCFOUR_HMAC_OLD_EXP:
-	return 1;
-    default:
-	return 0;
-    }
-}
-
 /*
  *
  */
@@ -1407,13 +1379,19 @@ get_pa_etype_info2(krb5_context context,
     return 0;
 }
 
+/*
+ * Return 0 if the client have only older enctypes, this is for
+ * determining if the server should send ETYPE_INFO2 or not.
+ */
+
 static int
-newer_enctype_present(struct KDC_REQ_BODY_etype *etype_list)
+newer_enctype_present(krb5_context context,
+		      struct KDC_REQ_BODY_etype *etype_list)
 {
     size_t i;
 
     for (i = 0; i < etype_list->len; i++) {
-	if (!older_enctype(etype_list->val[i]))
+	if (!krb5_is_enctype_old(context, etype_list->val[i]))
 	    return 1;
     }
     return 0;
@@ -1462,7 +1440,7 @@ get_pa_etype_info_both(krb5_context context,
     if (ret)
 	return ret;
 
-    if (!newer_enctype_present(etype_list))
+    if (!newer_enctype_present(context, etype_list))
 	ret = get_pa_etype_info(context, config, md, ckey, include_salt);
 
     return ret;
diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index 9b5250aed..28fc52e4c 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
     &keytype_arcfour,
     &_krb5_checksum_hmac_md5,
     &_krb5_checksum_hmac_md5,
-    F_SPECIAL | F_WEAK,
+    F_SPECIAL | F_WEAK | F_OLD,
     ARCFOUR_encrypt,
     NULL,
     0,
diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c
index 7060283f3..c5692954c 100644
--- a/lib/krb5/crypto-des.c
+++ b/lib/krb5/crypto-des.c
@@ -309,7 +309,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = {
     &keytype_des,
     &_krb5_checksum_crc32,
     NULL,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_key_ivec,
     NULL,
     0,
@@ -326,7 +326,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = {
     &keytype_des,
     &_krb5_checksum_rsa_md4,
     &_krb5_checksum_rsa_md4_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_null_ivec,
     NULL,
     0,
@@ -343,7 +343,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = {
     &keytype_des,
     &_krb5_checksum_rsa_md5,
     &_krb5_checksum_rsa_md5_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_null_ivec,
     NULL,
     0,
@@ -360,7 +360,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_none = {
     &keytype_des,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_null_ivec,
     NULL,
     0,
@@ -377,7 +377,7 @@ struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = {
     &keytype_des_old,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
     DES_CFB64_encrypt_null_ivec,
     NULL,
     0,
@@ -394,7 +394,7 @@ struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = {
     &keytype_des_old,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
     DES_PCBC_encrypt_key_ivec,
     NULL,
     0,
diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c
index c4eba3012..d231921d6 100644
--- a/lib/krb5/crypto-des3.c
+++ b/lib/krb5/crypto-des3.c
@@ -196,7 +196,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = {
     &keytype_des3,
     &_krb5_checksum_rsa_md5,
     &_krb5_checksum_rsa_md5_des3,
-    0,
+    F_OLD,
     _krb5_evp_encrypt,
     _krb5_evp_encrypt_iov,
     0,
@@ -214,7 +214,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = {
     &keytype_des3_derived,
     &_krb5_checksum_sha1,
     &_krb5_checksum_hmac_sha1_des3,
-    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
+    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF | F_OLD,
     _krb5_evp_encrypt,
     _krb5_evp_encrypt_iov,
     16,
@@ -232,7 +232,7 @@ struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = {
     &keytype_des3,
     &_krb5_checksum_sha1,
     &_krb5_checksum_hmac_sha1_des3,
-    0,
+    F_OLD,
     _krb5_evp_encrypt,
     _krb5_evp_encrypt_iov,
     0,
@@ -250,7 +250,7 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = {
     &keytype_des3_derived,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO,
+    F_PSEUDO | F_OLD,
     _krb5_evp_encrypt,
     _krb5_evp_encrypt_iov,
     0,
diff --git a/lib/krb5/crypto-null.c b/lib/krb5/crypto-null.c
index 53f97c529..a62a57ffc 100644
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -95,7 +95,7 @@ struct _krb5_encryption_type _krb5_enctype_null = {
     &keytype_null,
     &_krb5_checksum_none,
     NULL,
-    F_DISABLED,
+    F_DISABLED | F_OLD,
     NULL_encrypt,
     NULL,
     0,
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 6d6e5b7f5..524b2e786 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -2847,6 +2847,26 @@ krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype)
     return FALSE;
 }
 
+/**
+ * Returns whether the encryption type is new or old
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to probe
+ *
+ * @return Returns true if encryption type is old or is not supported.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_enctype_old(krb5_context context, krb5_enctype enctype)
+{
+    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
+    if (!et  || (et->flags & F_OLD))
+	return TRUE;
+    return FALSE;
+}
+
 /**
  * Returns whether the encryption type should use randomly generated salts
  *
diff --git a/lib/krb5/crypto.h b/lib/krb5/crypto.h
index 0971c3d2e..3cbaf70ab 100644
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -52,6 +52,7 @@ struct _krb5_key_usage;
 #define F_PSEUDO		0x0010	/* not a real protocol type */
 #define F_DISABLED		0x0020	/* enctype/checksum disabled */
 #define F_WEAK			0x0040	/* enctype is considered weak */
+#define F_OLD			0x0080	/* enctype is old */
 
 #define F_RFC3961_ENC		0x0100	/* RFC3961 simplified profile */
 #define F_SPECIAL		0x0200	/* backwards */
diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in
index df6fa7caa..90212173e 100644
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -400,6 +400,7 @@ EXPORTS
 	krb5_init_ets
 	krb5_initlog
 	krb5_is_config_principal
+	krb5_is_enctype_old
 	krb5_is_enctype_weak
 	krb5_is_thread_safe
 #ifdef HAVE_KCM
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index 26b53f6ed..2cc49fe0f 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -395,6 +395,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_init_ets;
 		krb5_initlog;
 		krb5_is_config_principal;
+		krb5_is_enctype_old;
 		krb5_is_enctype_weak;
 		krb5_is_thread_safe;
 		krb5_kcm_call;