diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 2d28ed47e..05d5ced16 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -792,6 +792,12 @@ get_cred_kdc_capath_worker(krb5_context context,
 				   impersonate_principal,
 				   second_ticket,
 				   *out_creds);
+	    if (ret == 0
+		 && !krb5_principal_compare(context, in_creds->server,
+					    (*out_creds)->server)) {
+		krb5_free_cred_contents(context, *out_creds);
+		ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	    }
 	    if (ret == 0 && ok_as_delegate == 0)
 		(*out_creds)->flags.b.ok_as_delegate = 0;