diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
index af7ffbe439..4bd358d24f 100644
--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
@@ -565,6 +565,12 @@ def password_sync_ucs_to_s4(s4connector, key, object):
 	else:
 		ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: Failed to get LM Password-Hash from S4")
 
+	supplementalCredentials_new = None
+	if krb5Principal:
+		# encoding of Samba4 supplementalCredentials
+		if krb5Key:
+			supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials)
+
 	modlist = []
 	if krb5Principal != userPrincipalName_attr:
 		if krb5Principal:
@@ -597,6 +603,17 @@ def password_sync_ucs_to_s4(s4connector, key, object):
 			if pwd_set and unicodePwd_new:
 				modlist.append((ldap.MOD_REPLACE, 'unicodePwd', unicodePwd_new))
 
+	if  supplementalCredentials_new:
+		if  supplementalCredentials_new != supplementalCredentials:
+			pwd_set = True
+			modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new))
+			# if supplementalCredentials:
+			# 	modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))
+			# else:
+			#	modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))
+	else:
+		ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new")
+
 	if not ucsLMhash == s4LMhash:
 		ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash))
 		pwd_set = True
@@ -608,19 +625,6 @@ def password_sync_ucs_to_s4(s4connector, key, object):
 			# modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr))
 
 	if pwd_set or not supplementalCredentials:
-		if krb5Principal:
-			# encoding of Samba4 supplementalCredentials
-			if krb5Key:
-				supplementalCredentials_new = calculate_supplementalCredentials(krb5Key, supplementalCredentials)
-				if supplementalCredentials_new:
-					modlist.append((ldap.MOD_REPLACE, 'supplementalCredentials', supplementalCredentials_new))
-				else:
-					ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: no supplementalCredentials_new")
-				# if supplementalCredentials:
-				#	modlist.append((ldap.MOD_REPLACE, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))
-				# else:
-				#	modlist.append((ldap.MOD_ADD, 'msDS-KeyVersionNumber', krb5KeyVersionNumber))
-
 		if sambaPwdLastSet is None:
 			sambaPwdLastSet = int(time.time())
 			newpwdlastset = str(univention.s4connector.s4.samba2s4_time(sambaPwdLastSet))
@@ -689,15 +693,17 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
 	s4_search_attributes = res[0][1]
 
 	unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0]
-	if unicodePwd_attr:
-		ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()
+	supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
+	if supplementalCredentials or unicodePwd_attr:
+		ntPwd = ''
+		if unicodePwd_attr:
+			ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()
 
 		lmPwd = ''
 		dBCSPwd = s4_search_attributes.get('dBCSPwd', [None])[0]
 		if dBCSPwd:
 			lmPwd = binascii.b2a_hex(dBCSPwd).upper()
 
-		supplementalCredentials = s4_search_attributes.get('supplementalCredentials', [None])[0]
 		msDS_KeyVersionNumber = s4_search_attributes.get('msDS-KeyVersionNumber', [0])[0]
 
 		ntPwd_ucs = ''
@@ -732,25 +738,29 @@ def password_sync_s4_to_ucs(s4connector, key, ucs_object, modifyUserPassword=Tru
 		userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]
 		krb5KeyVersionNumber = ucs_object_attributes.get('krb5KeyVersionNumber', [None])[0]
 
+		krb5Key_new = ''
+		if supplementalCredentials:
+			if krb5Principal:
+				# decoding of Samba4 supplementalCredentials
+				krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))
+
 		pwd_changed = False
 		if ntPwd != ntPwd_ucs:
 			pwd_changed = True
 			modlist.append(('sambaNTPassword', ntPwd_ucs, str(ntPwd)))
 
-		if lmPwd != lmPwd_ucs:
-			pwd_changed = True
-			modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd)))
-
-		if pwd_changed:
+		if supplementalCredentials != krb5Key_new:
 			if krb5Principal:
-				# decoding of Samba4 supplementalCredentials
-				krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))
-
+				pwd_changed = True
 				modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new))
 				if int(msDS_KeyVersionNumber) != int(krb5KeyVersionNumber):
 					modlist.append(('krb5KeyVersionNumber', krb5KeyVersionNumber, msDS_KeyVersionNumber))
 
-			# Append modification as well to modlist, to apply in one transaction
+		if lmPwd != lmPwd_ucs:
+			pwd_changed = True
+			modlist.append(('sambaLMPassword', lmPwd_ucs, str(lmPwd)))
+
+		if pwd_changed:
 			if modifyUserPassword:
 				modlist.append(('userPassword', userPassword_ucs, '{K5KEY}'))
 		else: