FWIW, Heimdal's TGS already does reject requests for clients whose principals should exist int he local HDB but don't. (Obviously this can only be done when the client's realm is also a realm for which the KDC has a database.) Nico --