Currently bkr.common.krb_auth.get_encoded_request() will use the socket.gethostname() value (if none is given) for the host part of a service principal when making a request. Rightly or wrongly, this means that when the client uses one principal for the request and the server uses another principal (e.g. client uses an A record for the host and server uses a CNAME) we get the 'Wrong principal in request' error.
http://gerrit.beaker-project.org/#/c/1691/
Beaker 0.11.3 hot fix has been released.