diff --git a/kdc/bx509d.c b/kdc/bx509d.c
index b3fbcecf7..f94e48ca3 100644
--- a/kdc/bx509d.c
+++ b/kdc/bx509d.c
@@ -1672,7 +1672,10 @@ authorize_TGT_REQ(struct bx509_request_desc *r, const char *cname)
         return bad_500(r, ret, "Out of resources");
     heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
                      "requested_krb5PrincipalName", "%s", cname);
-    ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req, cname);
+    ret = hx509_request_add_eku(r->context->hx509ctx, r->req,
+                                ASN1_OID_ID_PKEKUOID);
+    if (ret == 0)
+        ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req, cname);
     if (ret == 0)
         ret = kdc_authorize_csr(r->context, "get-tgt", r->req, p);
     krb5_free_principal(r->context, p);
diff --git a/tests/kdc/check-bx509.in b/tests/kdc/check-bx509.in
index 60070277e..f730646c4 100644
--- a/tests/kdc/check-bx509.in
+++ b/tests/kdc/check-bx509.in
@@ -435,6 +435,7 @@ $klist || { echo "failed to setup kimpersonate credentials"; exit 2; }
 
 echo "Fetch TGT"
 (set -vx; csr_grant pkinit foo@${R} foo@${R})
+(set -vx; csr_grant eku 1.3.6.1.5.2.3.4 foo@${R})
 token=$(KRB5CCNAME=$cache $gsstoken HTTP@$server)
 if ! (set -vx;
     curl -o "${cachefile2}" -Lgsf                                       \