diff --git a/kdc/fast.c b/kdc/fast.c
index 0e3644aee..5c80d29ba 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -516,7 +516,7 @@ fast_unwrap_request(astgs_request_t r)
     if (FastOptions2int(fastreq.fast_options) & 0xfffc) {
 	kdc_log(r->context, r->config, 2,
 		"FAST unsupported mandatory option set");
-	ret = KRB5KDC_ERR_PREAUTH_FAILED;
+	ret = KRB5_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS;
 	goto out;
     }
 
diff --git a/lib/krb5/krb5_err.et b/lib/krb5/krb5_err.et
index 13543a357..0860cf4d5 100644
--- a/lib/krb5/krb5_err.et
+++ b/lib/krb5/krb5_err.et
@@ -109,6 +109,9 @@ error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not suppo
 index 91
 error_code MORE_PREAUTH_DATA_REQUIRED, "More pre-authentication data required"
 
+index 93
+error_code UNKNOWN_CRITICAL_FAST_OPTIONS, "Unknown critical FAST options"
+
 index 94
 error_code INVALID_HASH_ALG, "Invalid OTP digest algorithm"
 error_code INVALID_ITERATION_COUNT, "Invalid OTP iteration count"