diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 39d86064d..dd556004d 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1665,6 +1665,46 @@ server_lookup:
     else
 	rsp = sp;
 
+    /*
+     * Now refetch the primary krbtgt, and get the current kvno (the
+     * sign check may have been on an old kvno, and the server may
+     * have been an incoming trust)
+     */
+
+    ret = krb5_make_principal(context,
+                              &krbtgt_out_principal,
+                              our_realm,
+                              KRB5_TGS_NAME,
+                              our_realm,
+                              NULL);
+    if (ret) {
+        kdc_log(context, config, 4,
+                "Failed to make krbtgt principal name object for "
+                "authz-data signatures");
+        goto out;
+    }
+    ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
+    if (ret) {
+        kdc_log(context, config, 4,
+                "Failed to make krbtgt principal name object for "
+                "authz-data signatures");
+        goto out;
+    }
+
+    ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
+			HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+    if (ret) {
+	char *ktpn = NULL;
+	ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
+	kdc_log(context, config, 4,
+		"No such principal %s (needed for authz-data signature keys) "
+		"while processing TGS-REQ for service %s with krbtg %s",
+		krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
+	free(ktpn);
+	ret = KRB5KRB_AP_ERR_NOT_US;
+	goto out;
+    }
+
     /*
      * Select enctype, return key and kvno.
      */
@@ -1727,46 +1767,6 @@ server_lookup:
      * backward.
      */
 
-    /* 
-     * Now refetch the primary krbtgt, and get the current kvno (the
-     * sign check may have been on an old kvno, and the server may
-     * have been an incoming trust)
-     */
-    
-    ret = krb5_make_principal(context,
-                              &krbtgt_out_principal,
-                              our_realm,
-                              KRB5_TGS_NAME,
-                              our_realm,
-                              NULL);
-    if (ret) {
-        kdc_log(context, config, 4,
-                "Failed to make krbtgt principal name object for "
-                "authz-data signatures");
-        goto out;
-    }
-    ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
-    if (ret) {
-        kdc_log(context, config, 4,
-                "Failed to make krbtgt principal name object for "
-                "authz-data signatures");
-        goto out;
-    }
-
-    ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
-			HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
-    if (ret) {
-	char *ktpn = NULL;
-	ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
-	kdc_log(context, config, 4,
-		"No such principal %s (needed for authz-data signature keys) "
-		"while processing TGS-REQ for service %s with krbtg %s",
-		krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
-	free(ktpn);
-	ret = KRB5KRB_AP_ERR_NOT_US;
-	goto out;
-    }
-
     /* 
      * The first realm is the realm of the service, the second is
      * krbtgt/<this>/@REALM component of the krbtgt DN the request was