diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
index ab5dc4b07..c50cf914b 100644
--- a/NEXT_CHANGELOG.md
+++ b/NEXT_CHANGELOG.md
@@ -6,6 +6,8 @@
 
 ### Bug Fixes
 
+* Fix proxy SPNego authentication to respect krb5.conf canonicalization settings instead of forcing hostname canonicalization. The SDK now defers to the Kerberos library configuration for hostname resolution. **Migration note**: If you experience new Kerberos authentication failures with proxy servers after upgrading, verify that your `krb5.conf` canonicalization settings (`rdns` and `dns_canonicalize_hostname`) are correctly configured for your environment.
+
 ### Security Vulnerabilities
 
 ### Documentation
diff --git a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
index b02a38d39..2f686e9e9 100644
--- a/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
+++ b/databricks-sdk-java/src/main/java/com/databricks/sdk/core/utils/ProxyUtils.java
@@ -128,7 +128,10 @@ public Principal getUserPrincipal() {
         .setDefaultCredentialsProvider(credsProvider)
         .setDefaultAuthSchemeRegistry(
             RegistryBuilder.<AuthSchemeProvider>create()
-                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true))
+                // Use SPNegoSchemeFactory with useCanonicalHostname=false to defer hostname
+                // canonicalization to the Kerberos library based on krb5.conf settings
+                // (rdns, dns_canonicalize_hostname) rather than forcing canonicalization.
+                .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, false))
                 .build());
   }