krb5_get_cred_via_tkt() explicitly checks that the requested server principal name is identical to the returned server principal name. This prevents the cross-realm KDC referral logic in get_cred_from_kdc() from working. There should be a way to relax this check, perhaps substituting a check that the cleartext and encrypted server principal names are identical.