diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 45d3f2c3889..6a3e71130df 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -905,6 +905,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-12681. start-build-env.sh fails in branch-2.
     (Kengo Seki via aajisaka)
 
+    HADOOP-12559. KMS connection failures should trigger TGT renewal.
+    (Zhe Zhang via xyao)
+
 Release 2.7.3 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index 4698a83c926..b113cecf4d1 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -474,6 +474,8 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
           UserGroupInformation.AuthenticationMethod.PROXY)
                               ? currentUgi.getShortUserName() : null;
 
+      // check and renew TGT to handle potential expiration
+      actualUgi.checkTGTAndReloginFromKeytab();
       // creating the HTTP connection using the current UGI at constructor time
       conn = actualUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
         @Override