There are several options that a TGT can have, one of them is being forwardable, another is having one or more IP addresses in it that make it so it cannot be used anywhere else. If the ticket is forwardable, but is tied to IP addresses it will not likely work for storm so we should reject it.
It looks like we can call getClientAddresses() on the ticket and if it returns something then we should reject it. We should also include instructions about how to get a proper ticekt in the error message.
`kinit -A -f`