Concerns I'd have--and note that these are simply concerns I'd have before integrating the patch. The Kerberos working group has decided this is the direction we're going in. How do MIT clients deal with getting a referal they are not expecting? How does this interact with the client-side cross-realm logic in MIT clients?