There is a programming error in Heimdal implementation that used an unauthenticated, plain-text version of the KDC-REP service name found in a ticket. Continue reading...