In JDK-8215032 ("Support Kerberos cross-realm referrals (RFC 6806)") we changed the Principal Name type to NT-SRV-HST when requesting TGS Kerberos tickets. This change can be seen in CredentialsUtil::acquireServiceCreds method (sun/security/krb5/internal/CredentialsUtil.java file), which used to contain the line "PrincipalName sname = new PrincipalName(service);" (implicitly meaning an NT-UNKNOWN Service Name Principal) and now creates an instance of PrincipalName with a PrincipalName.KRB_NT_SRV_HST constructor argument.
Even though real-case failures were not noticed as a result of this change, and RFC-4120 - Section 6.2  makes us think that there shouldn't be, we will revert the change to the previous state.
A future enhancement would be to change CredentialsUtil::acquireServiceCreds method signature to receive the Principal Name type by parameter. Krb5Context class, as a method's caller, would need to send the proper value obtained from the Krb5Context::peerName instance.
 - https://tools.ietf.org/html/rfc4120#section-6.2