diff --git a/lib/auth/helpers.go b/lib/auth/helpers.go
index 9553f2697cf8c..1d8744d56e2e2 100644
--- a/lib/auth/helpers.go
+++ b/lib/auth/helpers.go
@@ -1095,7 +1095,8 @@ func (t *TestTLSServer) CloneClient(tt *testing.T, clt *authclient.Client) *auth
 	// shared between all clients that use the same TLS config.
 	// Reusing the cache will skip the TLS handshake and may introduce a weird
 	// behavior in tests.
-	if !tlsConfig.SessionTicketsDisabled {
+	if tlsConfig.ClientSessionCache != nil {
+		tlsConfig = tlsConfig.Clone()
 		tlsConfig.ClientSessionCache = tls.NewLRUClientSessionCache(utils.DefaultLRUCapacity)
 	}
 
diff --git a/lib/utils/tls.go b/lib/utils/tls.go
index 8f619b63faf80..ca096a523b0a0 100644
--- a/lib/utils/tls.go
+++ b/lib/utils/tls.go
@@ -43,6 +43,11 @@ func SetupTLSConfig(config *tls.Config, cipherSuites []uint16) {
 		config.CipherSuites = cipherSuites
 	}
 
+	// pre-v17 Teleport uses a client ticket cache, which doesn't play well with
+	// verification (both client- and server-side) when using dynamic
+	// credentials and CAs (in v17+ Teleport)
+	config.SessionTicketsDisabled = true
+
 	config.MinVersion = tls.VersionTLS12
 }