The Java Kerberos library sometimes cannot use keytabs that contain keys of
encryption types that it does not support, even though the same keytabs
might contain keys of encryption types that it does support. The problem
is that when asked to get a key from the keytab for a service, the library
simply gets the last key from the keytab for that service. It does not
look for keys that it can support. Consequently, when it tries to use
the key, it gets an error.
This creates an interoperability issue. Java clients cannot use keytabs
generated by other systems that support other encryption types and happen
to put those keys after the DES keys.