diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 2d34574863e..926c523bc6b 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -357,6 +357,9 @@
     TRACE(c, (c, "TGS request result: {kerr}", code))
 #define TRACE_TKT_CREDS_RETRY_TCP(c)                                    \
     TRACE(c, (c, "Request or response is too big for UDP; retrying with TCP"))
+#define TRACE_TKT_CREDS_SAME_REALM_TGT(c, realm)                        \
+    TRACE(c, (c, "Received TGT referral back to same realm ({data}); trying " \
+              "again without referrals", realm))
 #define TRACE_TKT_CREDS_SERVICE_REQ(c, princ, referral)                 \
     TRACE(c, (c, "Requesting tickets for {princ}, referrals {str}", princ, \
               (referral) ? "on" : "off"))
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index f229ba1c343..780e6568b00 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -557,6 +557,14 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
         return begin_non_referral(context, ctx);
     }
 
+    /* Active Directory may return a TGT to the local realm.  Try a
+     * non-referral query if we see this. */
+    referral_realm = &ctx->reply_creds->server->data[1];
+    if (data_eq(*referral_realm, ctx->cur_tgt->server->data[1])) {
+        TRACE_TKT_CREDS_SAME_REALM_TGT(context, referral_realm);
+        return begin_non_referral(context, ctx);
+    }
+
     if (ctx->referral_count == 1) {
         /* Cache the referral TGT only if it's from the local realm.
          * Make sure to note the associated authdata, if any. */
@@ -577,7 +585,6 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx)
         return KRB5_KDC_UNREACH;
 
     /* Check for referral loops. */
-    referral_realm = &ctx->reply_creds->server->data[1];
     if (seen_realm_before(context, ctx, referral_realm))
         return KRB5_KDC_UNREACH;
     code = remember_realm(context, ctx, referral_realm);