Cu has proved that kerberos set up correctly by using IE. IE can browse
internet via Kerberos authentication. But JWS cannot.
From network capture, they saw AS-REP "KRB5KDC_ERR_PREAUTH_REQUIRED" and
"KRBKDC_ERR_PREAUTH_FAILED" when allowtgtsessionkey = 0 for request
krbtgt/DOMAIN to AD server. When allowtgtsessionkey = 1, they got TGS-REP
"KRB5KRB_AP_ERR_MODIFIED" for HTTP/squidproxy.domain.
If they disable kerberos pre- authentication for that user and user was KINIT
in JRE/bin before launch JNLP, JWS can download properly.
system configuration
====================
Environment - Squid proxy with Kerberos authentication enabled. Squid OS is
Ubuntu. AD is Windows 2008. Client is Windows 7 x86 with 7u45
javaws -J-Dsun.security.krb5.debug=true <http://your jnlp>
And the log can be found in https://mos-cores.us.oracle.com/web/cores/3-8062194441/tds-2013-11-13/javaws5447623760750531854.log
They use krb5.ini that is available in https://mos-cores.us.oracle.com/web/cores/3-8062194441/tds-2013-11-08/krb5.ini