diff --git a/lib/krb5/get_for_creds.c b/lib/krb5/get_for_creds.c
index dbb507b60..2efa5b7e8 100644
--- a/lib/krb5/get_for_creds.c
+++ b/lib/krb5/get_for_creds.c
@@ -79,7 +79,10 @@ fail:
 }
 
 /*
- *
+ * Forward credentials for `client' to host `hostname`,
+ * making them forwardable if `forwardable', and returning the
+ * blob of data to sent in `out_data'.
+ * If hostname == NULL, pick it from `server'
  */
 
 krb5_error_code
@@ -95,16 +98,39 @@ krb5_fwd_tgt_creds (krb5_context	context,
     krb5_flags flags = 0;
     krb5_creds creds;
     krb5_error_code ret;
+    krb5_const_realm client_realm;
 
     flags |= KDC_OPT_FORWARDED;
 
     if (forwardable)
 	flags |= KDC_OPT_FORWARDABLE;
 
+    if (hostname == NULL &&
+	krb5_principal_get_type(context, server) == KRB5_NT_SRV_HST) {
+	const char *inst = krb5_principal_get_comp_string(context, server, 0);
+	const char *host = krb5_principal_get_comp_string(context, server, 1);
+
+	if (inst != NULL &&
+	    strcmp(inst, "host") == 0 &&
+	    host != NULL && 
+	    krb5_principal_get_comp_string(context, server, 2) == NULL)
+	    hostname = host;
+    }
+
+    client_realm = krb5_principal_get_realm(context, client);
     
     memset (&creds, 0, sizeof(creds));
     creds.client = client;
-    creds.server = server;
+
+    ret = krb5_build_principal(context,
+			       &creds.server,
+			       strlen(client_realm),
+			       client_realm,
+			       KRB5_TGS_NAME,
+			       client_realm,
+			       NULL);
+    if (ret)
+	return ret;
 
     ret = krb5_get_forwarded_creds (context,
 				    auth_context,