diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index e26099b38..6b6ea7d49 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -172,19 +172,19 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
 
                 /* check target princ support */
 		key = NULL;
-                while (ret != 0 &&
-                       hdb_next_enctype2key(context, &princ->entry, NULL,
-                                             p[i], &key) == 0) {
-                    if (key->key.keyvalue.length == 0) {
-                        ret = KRB5KDC_ERR_NULL_KEY;
-                        continue;
-                    }
-                    if (is_preauth && !is_default_salt_p(&def_salt, key))
-                        continue;
-                    enctype = p[i];
-                    ret = 0;
-                }
-            }
+		while (hdb_next_enctype2key(context, &princ->entry, NULL,
+					     p[i], &key) == 0) {
+		    if (key->key.keyvalue.length == 0) {
+			ret = KRB5KDC_ERR_NULL_KEY;
+			continue;
+		    }
+		    enctype = p[i];
+		    ret = 0;
+		    if (is_preauth && ret_key != NULL &&
+			!is_default_salt_p(&def_salt, key))
+			continue;
+		}
+	    }
 	}
     } else {
 	/*
@@ -210,10 +210,11 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
 		    ret = KRB5KDC_ERR_NULL_KEY;
 		    continue;
 		}
-		if (is_preauth && !is_default_salt_p(&def_salt, key))
-		    continue;
                 enctype = etypes[i];
 		ret = 0;
+		if (is_preauth && ret_key != NULL &&
+		    !is_default_salt_p(&def_salt, key))
+		    continue;
 	    }
 	}
     }