diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 11888804d..fd067659c 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1613,13 +1613,7 @@ generate_pac(kdc_request_t r, Key *skey)
 krb5_boolean
 _kdc_is_anonymous(krb5_context context, krb5_const_principal principal)
 {
-    if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
-	 principal->name.name_type != KRB5_NT_UNKNOWN) ||
-	principal->name.name_string.len != 2 ||
-	strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
-	strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
-	return 0;
-    return 1;
+    return _krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY);
 }
 
 static int
diff --git a/kuser/kinit.c b/kuser/kinit.c
index 8cd5f3aa6..8771b1d54 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -425,18 +425,6 @@ store_ntlmkey(krb5_context context, krb5_ccache id,
 }
 #endif
 
-static krb5_boolean
-is_anonymous_princ_p(krb5_const_principal principal)
-{
-    if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
-	principal->name.name_type != KRB5_NT_UNKNOWN) ||
-	principal->name.name_string.len != 2 ||
-	strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
-	strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
-	return 0;
-    return 1;
-}
-
 static krb5_error_code
 get_new_tickets(krb5_context context,
 		krb5_principal principal,
@@ -642,7 +630,8 @@ get_new_tickets(krb5_context context,
 	    krb5_warn(context, ret, "krb5_init_creds_set_keytab");
 	    goto out;
 	}
-    } else if (pk_user_id || ent_user_id || is_anonymous_princ_p(principal)) {
+    } else if (pk_user_id || ent_user_id ||
+	       _krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
 
     } else if (!interactive && passwd[0] == '\0') {
 	static int already_warned = 0;
diff --git a/kuser/kuser_locl.h b/kuser/kuser_locl.h
index a0fcc9db6..36a2161fb 100644
--- a/kuser/kuser_locl.h
+++ b/kuser/kuser_locl.h
@@ -72,6 +72,7 @@
 #include <parse_time.h>
 #include <err.h>
 #include <krb5.h>
+#include "krb5_locl.h"
 
 #if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
 #include <sys/ioctl.h>
diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
index 2f6bc5503..668232d94 100644
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -402,4 +402,9 @@ struct krb5_plugin_data {
     krb5_get_instance_func_t get_instance;
 };
 
+/* _krb5_principal_is_anonymous() */
+#define KRB5_ANON_MATCH_AUTHENTICATED	1 /* authenticated with anon flag */
+#define KRB5_ANON_MATCH_UNAUTHENTICATED	2 /* anonymous PKINIT */
+#define KRB5_ANON_MATCH_ANY		( KRB5_ANON_MATCH_AUTHENTICATED | KRB5_ANON_MATCH_UNAUTHENTICATED )
+
 #endif /* __KRB5_LOCL_H__ */
diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in
index 79821fa35..4423cfb94 100644
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -776,6 +776,7 @@ EXPORTS
 	_krb5_pk_octetstring2key
 	_krb5_plugin_run_f
 	_krb5_enctype_requires_random_salt
+	_krb5_principal_is_anonymous
 	_krb5_principal2principalname
 	_krb5_principalname2krb5_principal
 	_krb5_put_int
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index 206cde1d6..df9c2316b 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -1247,6 +1247,32 @@ krb5_principal_is_root_krbtgt(krb5_context context, krb5_const_principal p)
 	strcmp(p->name.name_string.val[1], p->realm) == 0;
 }
 
+/**
+ * Returns true iff name is WELLKNOWN/ANONYMOUS
+ *
+ * @ingroup krb5_principal
+ */
+
+krb5_boolean KRB5_LIB_FUNCTION
+_krb5_principal_is_anonymous(krb5_context context,
+			     krb5_const_principal p,
+			     unsigned int flags)
+{
+    int anon_realm;
+
+    if ((p->name.name_type != KRB5_NT_WELLKNOWN &&
+         p->name.name_type != KRB5_NT_UNKNOWN) ||
+        p->name.name_string.len != 2 ||
+        strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
+        strcmp(p->name.name_string.val[1], KRB5_ANON_NAME) != 0)
+        return FALSE;
+
+    anon_realm = strcmp(p->realm, KRB5_ANON_REALM) == 0;
+
+    return ((flags & KRB5_ANON_MATCH_AUTHENTICATED) && !anon_realm) ||
+	   ((flags & KRB5_ANON_MATCH_UNAUTHENTICATED) && anon_realm);
+}
+
 static int
 tolower_ascii(int c)
 {
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
index c9523bb56..d514426b7 100644
--- a/lib/krb5/ticket.c
+++ b/lib/krb5/ticket.c
@@ -527,18 +527,6 @@ noreferral:
 }
 
 
-static krb5_boolean
-is_anonymous_principal(krb5_context context, krb5_const_principal principal)
-{
-    if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
-         principal->name.name_type != KRB5_NT_UNKNOWN) ||
-        principal->name.name_string.len != 2 ||
-        strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
-        strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
-        return 0;
-    return 1;
-}
-
 /*
  * Verify returned client principal name in anonymous/referral case
  */
@@ -551,7 +539,7 @@ check_client_mismatch(krb5_context context,
 		      krb5_keyblock const * key)
 {
     if (rep->enc_part.flags.anonymous) {
-	if (!is_anonymous_principal(context, mapped)) {
+	if (!_krb5_principal_is_anonymous(context, mapped, KRB5_ANON_MATCH_ANY)) {
 	    krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
 				   N_("Anonymous ticket does not contain anonymous "
 				      "principal", ""));
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index a9710a087..0b80a151b 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -767,6 +767,7 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_pk_mk_ContentInfo;
 		_krb5_pk_octetstring2key;
 		_krb5_plugin_run_f;
+		_krb5_principal_is_anonymous;
 		_krb5_principal2principalname;
 		_krb5_principalname2krb5_principal;
 		_krb5_put_int;