When the KDC receives a TGS-REQ, it will create the random session key as described in [RFC4120] section 3.1.3. If a TGS-REQ message requesting a FORWARDED ([RFC4120] section 2.6) TGT provides an etype value that is not supported by the KDC, and the client provides a PA-SUPPORTED-ENCTYPES with encryption types the KDC supports, then the KDC MAY select the strongest encryption type that is both included in the PA-SUPPORTED-ENCTYPES and supported by the KDC to generate the random session key. <64> See section for the relative strengths of KILE-supported encryption types.