diff --git a/v8/keytab/keytab.go b/v8/keytab/keytab.go
index 0890fc0d..f0cf6e6e 100644
--- a/v8/keytab/keytab.go
+++ b/v8/keytab/keytab.go
@@ -72,6 +72,7 @@ func New() *Keytab {
 func (kt *Keytab) GetEncryptionKey(princName types.PrincipalName, realm string, kvno int, etype int32) (types.EncryptionKey, int, error) {
 	var key types.EncryptionKey
 	var t time.Time
+	var kv int
 	for _, k := range kt.Entries {
 		if k.Principal.Realm == realm && len(k.Principal.Components) == len(princName.NameString) &&
 			k.Key.KeyType == etype &&
@@ -86,7 +87,7 @@ func (kt *Keytab) GetEncryptionKey(princName types.PrincipalName, realm string,
 			}
 			if p {
 				key = k.Key
-				kvno = int(k.KVNO)
+				kv = int(k.KVNO)
 				t = k.Timestamp
 			}
 		}
@@ -94,7 +95,7 @@ func (kt *Keytab) GetEncryptionKey(princName types.PrincipalName, realm string,
 	if len(key.KeyValue) < 1 {
 		return key, 0, fmt.Errorf("matching key not found in keytab. Looking for %v realm: %v kvno: %v etype: %v", princName.NameString, realm, kvno, etype)
 	}
-	return key, kvno, nil
+	return key, kv, nil
 }
 
 // Create a new Keytab entry.
diff --git a/v8/keytab/keytab_test.go b/v8/keytab/keytab_test.go
index f814fff2..00721d62 100644
--- a/v8/keytab/keytab_test.go
+++ b/v8/keytab/keytab_test.go
@@ -10,7 +10,9 @@ import (
 	"time"
 
 	"github.com/jcmturner/gokrb5/v8/iana/etypeID"
+	"github.com/jcmturner/gokrb5/v8/iana/nametype"
 	"github.com/jcmturner/gokrb5/v8/test/testdata"
+	"github.com/jcmturner/gokrb5/v8/types"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -221,3 +223,29 @@ func TestKeytabEntriesService(t *testing.T) {
 	// Compare content
 	assert.Equal(t, generated, ktutilbytes, "Service keytab doesn't match ktutil keytab")
 }
+
+func TestKeytab_GetEncryptionKey(t *testing.T) {
+	princ := "HTTP/princ.test.gokrb5"
+	realm := "TEST.GOKRB5"
+
+	kt := New()
+	kt.AddEntry(princ, realm, "abcdefg", time.Unix(100, 0), 1, 18)
+	kt.AddEntry(princ, realm, "abcdefg", time.Unix(200, 0), 2, 18)
+	kt.AddEntry(princ, realm, "abcdefg", time.Unix(300, 0), 3, 18)
+	kt.AddEntry(princ, realm, "abcdefg", time.Unix(400, 0), 4, 18)
+	kt.AddEntry(princ, realm, "abcdefg", time.Unix(350, 0), 5, 18)
+	kt.AddEntry("HTTP/other.test.gokrb5", realm, "abcdefg", time.Unix(500, 0), 5, 18)
+
+	pn := types.NewPrincipalName(nametype.KRB_NT_PRINCIPAL, princ)
+
+	_, kvno, err := kt.GetEncryptionKey(pn, realm, 0, 18)
+	if err != nil {
+		t.Error(err)
+	}
+	assert.Equal(t, 4, kvno)
+	_, kvno, err = kt.GetEncryptionKey(pn, realm, 3, 18)
+	if err != nil {
+		t.Error(err)
+	}
+	assert.Equal(t, 3, kvno)
+}