diff --git a/kdc/default_config.c b/kdc/default_config.c
index 768214c28..63b4681f0 100644
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -59,6 +59,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->check_ticket_addresses = TRUE;
     c->allow_null_ticket_addresses = TRUE;
     c->allow_anonymous = FALSE;
+    c->strict_nametypes = FALSE;
     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
     c->enable_pkinit = FALSE;
     c->pkinit_princ_in_cert = TRUE;
@@ -163,6 +164,12 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				     "kdc",
 				     "allow-anonymous", NULL);
 
+    c->strict_nametypes =
+	krb5_config_get_bool_default(context, NULL,
+				     c->strict_nametypes,
+				     "kdc",
+				     "strict-nametypes", NULL);
+
     c->max_datagram_reply_length =
 	krb5_config_get_int_default(context,
 				    NULL,
diff --git a/kdc/kdc.h b/kdc/kdc.h
index ba35e056f..2a1671aa8 100644
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -69,6 +69,7 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean check_ticket_addresses;
     krb5_boolean allow_null_ticket_addresses;
     krb5_boolean allow_anonymous;
+    krb5_boolean strict_nametypes;
     enum krb5_kdc_trpolicy trpolicy;
 
     krb5_boolean enable_pkinit;
diff --git a/kdc/misc.c b/kdc/misc.c
index 72acc32d7..15fae0f3a 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -33,6 +33,22 @@
 
 #include "kdc_locl.h"
 
+static int
+name_type_ok(krb5_context context,
+             krb5_kdc_configuration *config,
+             krb5_const_principal principal)
+{
+    int nt = krb5_principal_get_type(context, principal);
+
+    if (!krb5_principal_is_krbtgt(context, principal))
+        return 1;
+    if (nt == KRB5_NT_SRV_INST || nt == KRB5_NT_UNKNOWN)
+        return 1;
+    if (config->strict_nametypes == 0)
+        return 1;
+    return 0;
+}
+
 struct timeval _kdc_now;
 
 krb5_error_code
@@ -44,7 +60,7 @@ _kdc_db_fetch(krb5_context context,
 	      HDB **db,
 	      hdb_entry_ex **h)
 {
-    hdb_entry_ex *ent;
+    hdb_entry_ex *ent = NULL;
     krb5_error_code ret = HDB_ERR_NOENTRY;
     int i;
     unsigned kvno = 0;
@@ -53,6 +69,9 @@ _kdc_db_fetch(krb5_context context,
 
     *h = NULL;
 
+    if (!name_type_ok(context, config, principal))
+        goto out2;
+
     if (kvno_ptr != NULL && *kvno_ptr != 0) {
 	kvno = *kvno_ptr;
 	flags |= HDB_F_KVNO_SPECIFIED;
@@ -131,6 +150,7 @@ _kdc_db_fetch(krb5_context context,
 	}
     }
 
+out2:
     if (ret == HDB_ERR_NOENTRY) {
 	krb5_set_error_message(context, ret, "no such entry found in hdb");
     }