diff --git a/examples/GetUserSPNs.py b/examples/GetUserSPNs.py
index 0e0ec6297f..fbb43bea5b 100755
--- a/examples/GetUserSPNs.py
+++ b/examples/GetUserSPNs.py
@@ -79,14 +79,21 @@ def __init__(self, username, password, domain, cmdLineOptions):
         self.__doKerberos = cmdLineOptions.k
         self.__target = None
         self.__requestTGS = options.request
-        self.__kdcHost = cmdLineOptions.dc_ip
         self.__saveTGS = cmdLineOptions.save
         self.__requestUser = cmdLineOptions.request_user
+        if cmdLineOptions.kdc_ip is not None:
+            self.__kdcHost = cmdLineOptions.kdc_ip
+        else:
+            self.__kdcHost = cmdLineOptions.dc_ip
+        self.__dcIp = cmdLineOptions.dc_ip
         if cmdLineOptions.hashes is not None:
             self.__lmhash, self.__nthash = cmdLineOptions.hashes.split(':')
 
         # Create the baseDN
-        domainParts = self.__domain.split('.')
+	if cmdLineOptions.base_dn is not None:
+	    domainParts = cmdLineOptions.base_dn.split('.')
+	else:
+	    domainParts = self.__domain.split('.')
         self.baseDN = ''
         for i in domainParts:
             self.baseDN += 'dc=%s,' % i
@@ -94,8 +101,8 @@ def __init__(self, username, password, domain, cmdLineOptions):
         self.baseDN = self.baseDN[:-1]
 
     def getMachineName(self):
-        if self.__kdcHost is not None:
-            s = SMBConnection(self.__kdcHost, self.__kdcHost)
+        if self.__dcIp is not None:
+            s = SMBConnection(self.__dcIp, self.__dcIp)
         else:
             s = SMBConnection(self.__domain, self.__domain)
         try:
@@ -104,7 +111,13 @@ def getMachineName(self):
             logging.debug('Error while anonymous logging into %s' % self.__domain)
 
         s.logoff()
-        return s.getServerName()
+
+        if self.options.base_dn is not None:
+            machineDomain = self.options.base_dn
+        else:
+            machineDomaine = self.__domain
+
+        return '{}.{}'.format(s.getServerName(), machineDomain)
 
     @staticmethod
     def getUnixTime(t):
@@ -189,14 +202,14 @@ def run(self):
         if self.__doKerberos:
             self.__target = self.getMachineName()
         else:
-            if self.__kdcHost is not None:
-                self.__target = self.__kdcHost
+            if self.__dcIp is not None:
+                self.__target = self.__dcIp
             else:
                 self.__target = self.__domain
 
         # Connect to LDAP
         try:
-            ldapConnection = ldap.LDAPConnection('ldap://%s'%self.__target, self.baseDN, self.__kdcHost)
+            ldapConnection = ldap.LDAPConnection('ldap://%s'%self.__target, self.baseDN, self.__target)
             if self.__doKerberos is not True:
                 ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
             else:
@@ -205,7 +218,7 @@ def run(self):
         except ldap.LDAPSessionError, e:
             if str(e).find('strongerAuthRequired') >= 0:
                 # We need to try SSL
-                ldapConnection = ldap.LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__kdcHost)
+                ldapConnection = ldap.LDAPConnection('ldaps://%s' % self.__target, self.baseDN, self.__target)
                 if self.__doKerberos is not True:
                     ldapConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
                 else:
@@ -350,6 +363,12 @@ def run(self):
     group.add_argument('-dc-ip', action='store',metavar = "ip address",  help='IP Address of the domain controller. If '
                                                                               'ommited it use the domain part (FQDN) '
                                                                               'specified in the target parameter')
+    group.add_argument('-kdc-ip', action='store',metavar = "ip address",  help='IP Address of the key distribution center. '
+                                                                              'Useful if the KDC and the DC are in different domains. '
+                                                                              'If ommited, the DC IP is used')
+    group.add_argument('-base-dn', action='store',metavar = "base dn",  help='Base DN of the interogated DC '
+                                                                              '(if different from the one used to authenticate)')
+
 
     if len(sys.argv)==1:
         parser.print_help()
diff --git a/impacket/krb5/kerberosv5.py b/impacket/krb5/kerberosv5.py
index 7bf560e144..4858aa1f87 100644
--- a/impacket/krb5/kerberosv5.py
+++ b/impacket/krb5/kerberosv5.py
@@ -392,8 +392,10 @@ def getKerberosTGS(serverName, domain, kdcHost, tgt, cipher, sessionKey):
         return r, cipher, sessionKey, newSessionKey
     else:
         # Let's extract the Ticket, change the domain and keep asking
+        # We also interrogate a new KDC. TODO: how to find the KDC associated
+        # with the new domain. For now, we just try to resolve the new domain.
         domain = spn.components[1]
-        return getKerberosTGS(serverName, domain, kdcHost, r, cipher, newSessionKey)
+        return getKerberosTGS(serverName, domain, domain, r, cipher, newSessionKey)
     
     return r, cipher, sessionKey, newSessionKey