In JDK-8016594, we've fixed native Windows ccache by acquiring for a ticket using an etype we support but it's still not enough. Out of box this works fine because we will request for aes-128 and Windows will give us an aes-128 key. However, user can customize their krb5.conf file to change the default_tkt_enctypes list. If the perferred etype is des3 (very unlikely but still doable), Windows will still issue an aes-256 ticket because it does not support des3. We should always check for the returned ticket and try the second-preferred etype if we do not support it, and so on.