S4U cross realm error

[Mukul Agarwal]

Dear Kerberos experts,

I am working on some use case of constrained delegation wherein I am
trying to get service ticket for a service using delegated user on
behalf of an end user. I am experimenting this using "kvno" tool where
I am getting correct service ticket if user and service is in the same
realm.

However I am getting following error for cross realm scenario when end
user and service is in different domain (I have setup 2 way trust for
this).
>kinit -f delegate_user at FOREST2.COM<mailto:delegate_user at FOREST2.COM>
>kvno -k delegate.keytab  -U test1 at FOREST1.COM<mailto:test1 at FOREST1.COM> -P cifs/machine-forest2.forest2.com at FOREST2.COM<mailto:cifs/machine-forest2.forest2.com at FOREST2.COM>
kvno: Server not found in Kerberos database while getting credentials
for cifs/machine-forest2.forest2.com at FOREST2.COM<mailto:cifs/machine-forest2.forest2.com at FOREST2.COM>

Here "delegated_user" (part of forest2) is trying to get service ticket for
CIFS  (in forest2) on behalf of user "test1" (in forest1).

Any help is appreciate.

TIA,
Mukul