domain but in REALM2 and trying to get cross realm trust working between them.
We are using host specific mappings in [domain_realm] to do it. There are even [CAPATH] scenarios that customers throw us where REALMA has trust for REALMB and REALMC has trust for REALMB, and users from REALMB must be trusted by REALMA cluster hosts. Imagine every insane heterogeneous configuration troubleshooting possible. We setup and simulate issues across all 3 using the same lab domains and explicit host mappings in [domain_realm] to keep the kerberos stack straight...
But I have one observation, in your blog you state-
Since Microsoft Active Directory implementation does not support per-host Kerberos realm hint, unlike MIT Kerberos or Heimdal, such request from Windows client will always fail. It will be not possible to obtain a service ticket in such situation from Windows machines.
However, when both realms trusting each other are MIT Kerberos, their KDCs and clients can be configured for a selective realm discovery.
On Windows desktops/hosts that we are doing integration labs over with mixed KDC implementations, the approach is to use the windows shell command lines of ksetup /addkdc and ksetup /addhosttorealmmap to smooth things with cross realm trust configurations ad-hoc between everything. I have not researched if global policies will do this as well for windows hosts in a domain... but on a host/desktop specific scenario it works and SPNEGO authentication from browsers work to cluster web UI's (as does ODBC and JDBC connections).