diff --git a/base/univention-heimdal/univention-create-keytab b/base/univention-heimdal/univention-create-keytab
index 8a9960b476..e4f35d4490 100755
--- a/base/univention-heimdal/univention-create-keytab
+++ b/base/univention-heimdal/univention-create-keytab
@@ -37,6 +37,7 @@ import binascii
 from optparse import OptionParser
 import tempfile
 import os
+from univention.config_registry import ConfigRegistry
 
 parser = OptionParser()
 parser.add_option("-k", "--keytab", dest="keytab", help="write keytab to FILE", metavar="FILE")
@@ -58,10 +59,22 @@ if not options.kvno:
 if not options.password:
 	parser.error("password argument missing")
 
+configRegistry = ConfigRegistry()
+configRegistry.load()
+
 keytab_filename = options.keytab
 
 krb5_context = heimdal.context()
-permitted_enctypes = krb5_context.get_permitted_enctypes()
+
+# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly:
+ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted',
+		'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1')
+ucr_permitted_enctypes_list = ucr_permitted_enctypes.split()
+
+def is_permitted_enctype(etype):
+	return str(etype) in ucr_permitted_enctypes_list
+permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes())
+
 permitted_enctypes.reverse()
 temp_keytab_filename = tempfile.mktemp()
 for krb5_enctype in permitted_enctypes:
diff --git a/management/univention-directory-manager-modules/modules/univention/admin/password.py b/management/univention-directory-manager-modules/modules/univention/admin/password.py
index 9979aac916..32978fc6f7 100644
--- a/management/univention-directory-manager-modules/modules/univention/admin/password.py
+++ b/management/univention-directory-manager-modules/modules/univention/admin/password.py
@@ -97,7 +97,17 @@ def krb5_asn1(principal, password, krb5_context=None):
 		password = str(password)
 	if not krb5_context:
 		krb5_context = heimdal.context()
-	for krb5_etype in krb5_context.get_permitted_enctypes():
+
+	# Heimdal doesn't ignores the "permitted_enctypes" in krb5.conf during the get_permitted_enctypes() call, so we have to filter explicitly:
+	ucr_permitted_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted',
+			'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1')
+	ucr_permitted_enctypes_list = ucr_permitted_enctypes.split()
+
+	def is_permitted_enctype(etype):
+		return str(etype) in ucr_permitted_enctypes_list
+	permitted_enctypes = filter(is_permitted_enctype, krb5_context.get_permitted_enctypes())
+
+	for krb5_etype in permitted_enctypes:
 		if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
 			continue
 		krb5_principal = heimdal.principal(krb5_context, principal)