diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 73c149396..70eea0c2f 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1708,19 +1708,23 @@ server_lookup:
     }
 
     /* check PAC if there is one */
-    if (!cross_realm) {
+    {
 	Key *tkey;
+	krb5_keyblock *tgtkey = NULL;
 
-	ret = hdb_enctype2key(context, &krbtgt->entry, 
-			      krbtgt_etype, &tkey);
-	if(ret) {
-	    kdc_log(context, config, 0,
-		    "Failed to find key for krbtgt PAC check");
-	    goto out;
+	if (!cross_realm) {
+	    ret = hdb_enctype2key(context, &krbtgt->entry, 
+				  krbtgt_etype, &tkey);
+	    if(ret) {
+		kdc_log(context, config, 0,
+			"Failed to find key for krbtgt PAC check");
+		goto out;
+	    }
+	    tgtkey = &tkey->key;
 	}
 
 	ret = check_PAC(context, config, client_principal, 
-			client, server, ekey, &tkey->key, 
+			client, server, ekey, tgtkey,
 			tgt, &rspac, &require_signedpath);
 	if (ret) {
 	    kdc_log(context, config, 0,