It seems that the KDC does not listen to TCP by default. It probably should. There were apparently some concerns about limited protection against denial-of-service attacks, but we should establish whether this is actually a problem.