Each authentication process currently has 3 AS-REQ requests (6 if pre-auth is an issue)

One request for each of the SPNEGO round trips and then one request for the LDAP search.

Attempts to make use of a local ticket cache failed: -

<!--
<module-option name="useTicketCache">true</module-option>
<module-option name="renewTGT">true</module-option>
<module-option name="ticketCache">/home/darranl/src/negotiation-as/jboss-4.2.2.GA-AD/testserver.cache</module-option>
-->

As the keytab had not been read it meant that the requirements for storeKey were not met, this is needed for SPNEGO.

<module-option name="storeKey">true</module-option>

A mechanism to cache the server subject is needed.

The expiration time of the ticket can be obtained to decide how long to cache the ticket for: -

Set<Object> privateCredentials = serverSubject.getPrivateCredentials();
for (Object current : privateCredentials)
{
if (current instanceof KerberosTicket)

{ KerberosTicket ticket = (KerberosTicket) current; System.out.println(ticket.getEndTime()); }

}