Each authentication process currently has 3 AS-REQ requests (6 if pre-auth is an issue)
One request for each of the SPNEGO round trips and then one request for the LDAP search.
Attempts to make use of a local ticket cache failed: -
As the keytab had not been read it meant that the requirements for storeKey were not met, this is needed for SPNEGO.
A mechanism to cache the server subject is needed.
The expiration time of the ticket can be obtained to decide how long to cache the ticket for: -
Set<Object> privateCredentials = serverSubject.getPrivateCredentials();
for (Object current : privateCredentials)
if (current instanceof KerberosTicket)