If the Java Kerberos does end up checking the krb_err, it is important that it not fail if the krb_err does not contain the salt (it must retry) or if it contains something that does not decode as padata. Clarifications leaves the e-data for preauth_failed unspecified.