diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
index b4d5d1b..8d396e7 100644
--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
@@ -166,13 +166,17 @@ def calculate_supplementalCredentials(ucs_krb5key, old_supplementalCredentials):
 	krb5_des_crc = ''
 	krb_ctr3_salt = ''
 	krb_ctr4_salt = ''
+	context = heimdal.context()
+	permitted_enctypes = map(lambda x: x.toint(), context.get_permitted_enctypes())
 	for k in ucs_krb5key:
 		(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
-
 		key_data = keyblock.keyvalue()
 		saltstring = salt.saltvalue()
 		enctype = keyblock.keytype()
 		enctype_id = enctype.toint()
+		if enctype_id not in permitted_enctypes:
+			ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ignoring enctype '%s', not supported by heimdal" % enctype_id)
+			continue
 		ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id))
 		if enctype_id == 18:
 			krb5_aes256 = key_data