The org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator#getAuthenticatedUsername() has unnecessary code to check a realm name.
SPNEGO authenticator which is configured against realm A can verify a token of a user in realm B, if realm A and B have mutual trust. The code breaks the cross-domain trust feature of Kerberos.