diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index e51698a2a78..d59a8cff84d 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -132,7 +132,6 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_authenticated_users_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index b8629212e6a..61e833e43cd 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3484,6 +3484,10 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 		session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
 	}
 
+	if (device_info_dc != NULL && !(device_info_dc->info->user_flags & NETLOGON_GUEST)) {
+		session_info_flags |= AUTH_SESSION_INFO_DEVICE_AUTHENTICATED;
+	}
+
 	nt_status = auth_generate_security_token(mem_ctx,
 						 kdc_db_ctx->lp_ctx,
 						 kdc_db_ctx->samdb,