diff --git a/kuser/kinit.c b/kuser/kinit.c
index 0fbc899ad..04980e409 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -1058,7 +1058,7 @@ get_princ(krb5_context context, krb5_principal *principal, const char *name)
     user_realm = get_user_realm(context);
 
     if (name) {
-	if (canonicalize_flag || enterprise_flag)
+	if (enterprise_flag)
 	    parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
 
 	parse_name_realm(context, name, parseflags, user_realm, &tmp);
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index d84c0f568..105001bf6 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -426,9 +426,7 @@ get_init_creds_common(krb5_context context,
     if (ctx->keyproc == NULL)
 	ctx->keyproc = default_s2k_func;
 
-    /* Enterprise name implicitly turns on canonicalize */
-    if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
-	krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
+    if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE)
 	ctx->flags.canonicalize = 1;
 
     ctx->pre_auth_types = NULL;
diff --git a/tests/kdc/check-pkinit.in b/tests/kdc/check-pkinit.in
index 23947bf5f..2e55e34ae 100644
--- a/tests/kdc/check-pkinit.in
+++ b/tests/kdc/check-pkinit.in
@@ -202,7 +202,7 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
 echo "Trying pk-init (ms upn, enterprise)"; > messages.log
-${kinit}  --canonicalize \
+${kinit}  --canonicalize --enterprise \
 	-C FILE:${base}/pkinit4.crt,${keyfile2} baz2@test.h5l.se@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in
index 92240c9ac..c4be51bb7 100644
--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -137,7 +137,7 @@ ${klist} | grep "Principal: foo@${R}" > /dev/null || \
 ${kdestroy}
 
 echo "Getting client client tickets (default realm, enterprisename)"; > messages.log
-${kinit} --canonicalize \
+${kinit} --canonicalize --enterprise \
 	--password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
@@ -146,7 +146,7 @@ ${klist} | grep "Principal: foo@${R}" > /dev/null || \
 ${kdestroy}
 
 echo "Getting client alias1 tickets"; > messages.log
-${kinit} --canonicalize \
+${kinit} --canonicalize --enterprise \
 	--password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
@@ -156,7 +156,7 @@ ${kdestroy}
 
 
 echo "Getting client alias2 tickets"; > messages.log
-${kinit} --canonicalize \
+${kinit} --canonicalize --enterprise \
 	--password-file=${objdir}/foopassword alias2@${R}@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
@@ -171,7 +171,7 @@ ${kinit} --password-file=${objdir}/foopassword \
 
 echo "Getting client alias2 tickets (removed)"; > messages.log
 ${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
-${kinit} --canonicalize \
+${kinit} --canonicalize --enterprise \
 	--password-file=${objdir}/foopassword \
 	alias2@${R}@${R} > /dev/null 2>/dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }