Hi, with the attached patch S4U2Self works for me even on cross-realm environments, I tested this even with AD forest trust. I think this issue is reported in ticket #7022 as well. The idea is to convert in krb5_get_self_cred_from_kdc() the server part of the s4u creds to an enterprise principal before sending it to a different realm and convert it back to a plain principal when coming back to the local realm. I'm not sure if this is the right way to fix it. The patch needs some improvements (coding style, freeing memory, ...) and I'd happy to send a better version but I would like to get some feedback if the general solution seems to be correct or if this issue should be solved differently? Thanks for you help. bye, Sumit