diff --git a/api/client.go b/api/client.go
index 4aee40c0a7252..c6c78ada9e29b 100644
--- a/api/client.go
+++ b/api/client.go
@@ -48,7 +48,7 @@ type Config struct {
 	redirectSetup sync.Once
 
 	// MaxRetries controls the maximum number of times to retry when a 5xx error
-	// occurs. Set to 0 or less to disable retrying.
+	// occurs. Set to 0 or less to disable retrying. Defaults to 0.
 	MaxRetries int
 }
 
@@ -99,8 +99,6 @@ func DefaultConfig() *Config {
 		config.Address = v
 	}
 
-	config.MaxRetries = pester.DefaultClient.MaxRetries
-
 	return config
 }
 
diff --git a/http/sys_seal.go b/http/sys_seal.go
index 2e02f7308ad16..841dc11071828 100644
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -30,8 +30,13 @@ func handleSysSeal(core *vault.Core) http.Handler {
 
 		// Seal with the token above
 		if err := core.SealWithRequest(req); err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
+			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+				respondError(w, http.StatusForbidden, err)
+				return
+			} else {
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
 		}
 
 		respondOk(w, nil)
diff --git a/http/sys_seal_test.go b/http/sys_seal_test.go
index cc12be41d1d01..83fd3198b5b13 100644
--- a/http/sys_seal_test.go
+++ b/http/sys_seal_test.go
@@ -285,7 +285,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs update and sudo
 	httpResp := testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to add update capability
 	req = &logical.Request{
@@ -306,7 +306,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs sudo
 	httpResp = testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to just sudo capability
 	req = &logical.Request{
@@ -327,7 +327,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs update
 	httpResp = testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to add all needed capabilities
 	req = &logical.Request{