diff --git a/kdc/process.c b/kdc/process.c
index a2d6f05e6..a0f51f278 100644
--- a/kdc/process.c
+++ b/kdc/process.c
@@ -113,7 +113,7 @@ _kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
     }
 
     for (i = 0; i < 3 && i < a->len; i++) {
-        if (krb5_print_address(&a->val[0], buf, sizeof(buf), NULL) == 0)
+        if (krb5_print_address(&a->val[i], buf, sizeof(buf), NULL) == 0)
             _kdc_audit_addkv(r, 0, key, "%s", buf);
     }
 }
diff --git a/tests/kdc/check-bx509.in b/tests/kdc/check-bx509.in
index dc5a2eba1..481c9b5d8 100644
--- a/tests/kdc/check-bx509.in
+++ b/tests/kdc/check-bx509.in
@@ -556,7 +556,7 @@ if ! (set -vx;
     curl -o "${cachefile}" -Lgsf                                        \
          --resolve ${server}:${bx509port}:127.0.0.1                     \
          -H "Authorization: Negotiate $token"                           \
-         "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&lifetime=5d"); then
+         "http://${server}:${bx509port}/get-tgt?cname=bar@${R}&address=8.8.8.8&address=8.9.10.11&address=11.11.11.11&address=12.12.12.12&lifetime=5d"); then
     echo "Failed to get a TGT with /get-tgt end-point"
     exit 2
 fi
@@ -589,7 +589,8 @@ ${kgetcred} -H HTTP/${server}@${R} ||
 KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
     { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
 
-grep 'REQ.*wrongaddr' ${objdir}/messages.log ||
+# Check that we get up to three tixaddrs k/v in the log
+grep 'REQ.*numtixaddrs=4 tixaddrs=IPv4:8.8.8.8 tixaddrs=IPv4:8.9.10.11 tixaddrs=IPv4:11.11.11.11 wrongaddr=yes' ${objdir}/messages.log ||
     { echo "KDC not warning about requests from wrong address"; exit 2; }
 
 echo "Fetching a Negotiate token"