2 files changed, 13 insertions, 11 deletions

diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index ea0bc4ad9ec..adb6000cd64 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -378,16 +378,18 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	cred.enc_part.cipher.data = buf;
 	cred.enc_part.cipher.length = buf_size;
     } else {
-	krb5_keyblock *key;
-
-	if (auth_context->local_subkey)
-	    key = auth_context->local_subkey;
-	else if (auth_context->remote_subkey)
-	    key = auth_context->remote_subkey;
-	else
-	    key = auth_context->keyblock;
-	
-	ret = krb5_crypto_init(context, key, 0, &crypto);
+	    /* 
+	     * RFC4120 claims we should use the session key, but Heimdal
+	     * before 0.8 used the remote subkey if it was send in the
+	     * auth_context.  
+	     *
+	     * Lorikeet-Heimdal is interested in windows compatiblity
+	     * more than Heimdal compatability, so we must choose the
+	     * session key, and break forwarding credentials to older
+	     * Heimdal servers. 
+	     */
+
+	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
 	if (ret) {
 	    free(buf);
 	    free_KRB_CRED(&cred);
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index ddd5866aeb8..07f142267c0 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -101,7 +101,7 @@ krb5_rd_cred(krb5_context context,
     } else {
 	/* Try both subkey and session key.
 	 * 
-	 * RFC2140 claims we should use the session key, but Heimdal
+	 * RFC4120 claims we should use the session key, but Heimdal
 	 * before 0.8 used the remote subkey if it was send in the
 	 * auth_context.
 	 */