Please take a review at http://cr.openjdk.java.net/~weijun/8227381/webrev.00/
When the client is talking to an old KDC that does not support referrals and only knows DES, it fails like this: c: PA_REQ_ENC_PA_REP s: KDC_ERR_PREAUTH_FAILED c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP s: KDC_ERR_PREAUTH_FAILED c: <fallback to no referrals> PA_ENC_TIMESTAMP using aes256-cts s: KDC_ERR_PREAUTH_FAILED c: <fail because too many KDC_ERR_PREAUTH_FAILED> With this fix, whenever there is a referrals state change (fallback to no referrals, change realm), the preauth state (pakey and preAuthFailedOnce) is reset, so it will be c: PA_REQ_ENC_PA_REP s: KDC_ERR_PREAUTH_FAILED c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP s: KDC_ERR_PREAUTH_FAILED c: <fallback to no referrals with no PAData> s: KDC_ERR_PREAUTH_REQUIRED suggesting des-cbc-md5 c: PA_ENC_TIMESTAMP using des-cbc-md5 s: AS-REP c: <Hooray!> Thanks, Max
