Renewed tickets can apparently also become unusable across a TGT rekey with a different first enctype, due to this bug. I believe the scenario is identical to the forwarding case. http://mailman.mit.edu.ezproxyberklee.flo.org/pipermail/kerberos/2016-December/021536.html