In Kerberos, a server side program saves long term secret keys into a keytab file and uses it to authenticate AP_REQ messages sent by a client. The AP_REQ is encrypted by the KDC using a key stored in KDC's database. The key is identified by an encryption type and a key version number so that the server can locate the correct key from the keytab. Currently, Java only uses encrytion type to search for the key. If there are multiple keys with the same etype for a given server, it's quite likely that a wrong key is returned. The result is that the AP_REQ message cannot be authenticated and checksum error is thrown.