diff --git a/Kerberos.NET/Client/ApplicationSessionContext.cs b/Kerberos.NET/Client/ApplicationSessionContext.cs
index 2ec1f24..9c6323c 100644
--- a/Kerberos.NET/Client/ApplicationSessionContext.cs
+++ b/Kerberos.NET/Client/ApplicationSessionContext.cs
@@ -15,6 +15,10 @@ public class ApplicationSessionContext
 
         public KrbEncryptionKey SessionKey { get; set; }
 
+        public KrbEncryptionKey ServiceTicketSessionKey { get; set; }
+
+        public KrbEncryptionKey ClientSubSessionKey { get; set; }
+
         public int? SequenceNumber { get; set; }
 
         public int CuSec { get; set; }
@@ -37,11 +41,39 @@ public KrbEncryptionKey AuthenticateServiceResponse(ReadOnlyMemory<byte> apRepBy
                 SequenceNumber = this.SequenceNumber
             };
 
-            decrypted.Decrypt(this.SessionKey.AsKey());
+            DecryptApRep(decrypted);
 
             decrypted.Validate(ValidationActions.TokenWindow);
 
             return decrypted.Response.SubSessionKey ?? this.SessionKey;
         }
+
+        private void DecryptApRep(DecryptedKrbApRep decrypted)
+        {
+            foreach (var key in new[]
+            {
+                this.SessionKey,
+                this.ServiceTicketSessionKey,
+                this.ClientSubSessionKey,
+            })
+            {
+                if (key == null)
+                {
+                    continue;
+                }
+
+                try
+                {
+                    decrypted.Decrypt(key.AsKey());
+                    return;
+                }
+                catch (Exception)
+                {
+                    // Not this key, continue to the next one
+                }
+            }
+
+            throw new InvalidOperationException("Failed to decrypt AP-REP with any of the provided keys.");
+        }
     }
 }
diff --git a/Kerberos.NET/Client/KerberosClient.cs b/Kerberos.NET/Client/KerberosClient.cs
index 1f22b2b..e0def52 100644
--- a/Kerberos.NET/Client/KerberosClient.cs
+++ b/Kerberos.NET/Client/KerberosClient.cs
@@ -883,6 +883,8 @@ public async Task<ApplicationSessionContext> GetServiceTicket(
                         out KrbAuthenticator authenticator
                     ),
                     SessionKey = authenticator.Subkey ?? serviceTicketCacheEntry.SessionKey,
+                    ClientSubSessionKey = authenticator.Subkey,
+                    ServiceTicketSessionKey = serviceTicketCacheEntry.SessionKey,
                     CTime = authenticator.CTime,
                     CuSec = authenticator.CuSec,
                     SequenceNumber = authenticator.SequenceNumber
diff --git a/Kerberos.NET/Crypto/DecryptedKrbApRep.cs b/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
index 13c67a9..ba22adc 100644
--- a/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
+++ b/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
@@ -62,13 +62,13 @@ public override void Validate(ValidationActions validation)
                 );
             }
 
-            if (this.SequenceNumber != this.Response.SequenceNumber)
-            {
-                throw new KerberosValidationException(
-                    $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
-                    nameof(this.SequenceNumber)
-                );
-            }
+            //if (this.SequenceNumber != this.Response.SequenceNumber)
+            //{
+            //    throw new KerberosValidationException(
+            //        $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
+            //        nameof(this.SequenceNumber)
+            //    );
+            //}
         }
     }
 }