diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index b15000d6a..d153e94b9 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -119,7 +119,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	if (ret)
 	    return ret;
 	principal = enterprise_principal;
-	flags |= HDB_F_CANON; /* enterprise implies canonicalization */
     }
 
     hdb_principal2key(context, principal, &key);
@@ -192,6 +191,14 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	    }
 	}
     }
+    if (enterprise_principal) {
+	/*
+	 * Whilst Windows does not canonicalize enterprise principal names if
+	 * the canonicalize flag is unset, the original specification in
+	 * draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
+	 */
+	entry->entry.flags.force_canonicalize = 1;
+    }
 
     return 0;
 }