diff --git a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
index fa136220c6..ea3f953c5a 100644
--- a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
+++ b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
@@ -115,12 +115,14 @@ public class KerberosUsernamePasswordAuthenticator {
     protected String getKerberosPrincipal(String username) throws LoginException {
         if (username.contains("@")) {
             String[] tokens = username.split("@");
-            username = tokens[0];
+
             String kerberosRealm = tokens[1];
-            if (kerberosRealm.toUpperCase().equals(config.getKerberosRealm())) {
+            if (!kerberosRealm.toUpperCase().equals(config.getKerberosRealm())) {
                 logger.warn("Invalid kerberos realm. Expected realm: " + config.getKerberosRealm() + ", username: " + username);
-                throw new LoginException("Invalid kerberos realm");
+                throw new LoginException("Client not found");
             }
+
+            username = tokens[0];
         }
 
         return username + "@" + config.getKerberosRealm();
diff --git a/model/api/src/main/java/org/keycloak/models/UserFederationManager.java b/model/api/src/main/java/org/keycloak/models/UserFederationManager.java
index b4dba675f8..fe96e5af16 100755
--- a/model/api/src/main/java/org/keycloak/models/UserFederationManager.java
+++ b/model/api/src/main/java/org/keycloak/models/UserFederationManager.java
@@ -372,7 +372,7 @@ public class UserFederationManager implements UserProvider {
         for (UserCredentialModel cred : input) {
             UserFederationProvider providerSupportingCreds = null;
 
-            // Find provider, which supports required credential type
+            // Find first provider, which supports required credential type
             for (UserFederationProvider fedProvider : fedProviders) {
                 if (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) {
                     providerSupportingCreds = fedProvider;