Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) Subject: Unable to get a TGT cross-realm referral X-RT-Original-Encoding: iso-8859-1 Content-Length: 713 When requesting a TGT for cross-realm, a KDC is permitted to return a TGT for other than the reqeusted realm (see RFC 1510 section 3.3.1). But if this actually happens, the library code will fail with KRB5_KDCREP_MODIFIED. This is due to the code at the end of krb5_get_cred_via_tkt() (which is called is by krb5_get_credentials() to get the cross-realm TGT) which verifies that none of the fields in the response from the KDC has changes. Obviously, the referral case, the TGS service name has changed, and it triggers this code. I'm not sure if the right answer is that this check should be removed, or the API should be changed to not check to see if the service principal has been changed in the TGS case.