Hi, I found this old discussion: http://kerberos.996246.n3.nabble.com/AD-SIGNEDPATH-and-cross-realm-td27623.html It seems krb5-1.12 still strips AD-SIGNEDPATH when issuing cross-realm TGT's. Are there any news on this issue? Like Loves suggestion to checksum the AD-SIGNEDPATH with the target realm cross-realm key when issuing cross-ream TGTs? /Peter