diff --git a/kdc/kerberos4.c b/kdc/kerberos4.c
index 613acf068..76295f5ab 100644
--- a/kdc/kerberos4.c
+++ b/kdc/kerberos4.c
@@ -109,15 +109,17 @@ db_fetch4(const char *name, const char *instance, const char *realm)
 krb5_error_code
 get_des_key(hdb_entry *principal, krb5_boolean prefer_afs_key, Key **ret_key)
 {
-    Key *key = NULL;
     Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL;
     int i;
     krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, 
 			      ETYPE_DES_CBC_MD4, 
 			      ETYPE_DES_CBC_CRC };
 
-    for(i = 0; i < 3; i++) {
-	key = NULL;
+    for(i = 0;
+	i < sizeof(etypes)/sizeof(etypes[0])
+	    && (v5_key == NULL || v4_key == NULL || afs_key == NULL);
+	++i) {
+	Key *key = NULL;
 	while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
 	    if(key->salt == NULL) {
 		if(v5_key == NULL)
@@ -131,24 +133,27 @@ get_des_key(hdb_entry *principal, krb5_boolean prefer_afs_key, Key **ret_key)
 		    afs_key = key;
 	    }
 	}
-	if(v5_key != NULL && v4_key != NULL && afs_key != NULL)
-	    break;
     }
 
-    if(prefer_afs_key)
+    if(prefer_afs_key) {
 	if(afs_key)
 	    *ret_key = afs_key;
 	else if(v4_key)
 	    *ret_key = v4_key;
-	else 
+	else if(v5_key)
 	    *ret_key = v5_key;
-    else
+	else
+	    return KERB_ERR_NULL_KEY;
+    } else {
 	if(v4_key)
 	    *ret_key = v4_key;
 	else if(afs_key)
 	    *ret_key = afs_key;
-	else 
+	else  if(v5_key)
 	    *ret_key = v5_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    }
 
     if((*ret_key)->key.keyvalue.length == 0)
 	return KERB_ERR_NULL_KEY;