If we supply a module of our own to handle the server authentication we can solve a couple of problems: -
1 - Detect which Krb5LoginModule is actually available without needing different config for different JVMs
2 - Allow a username / password auth even though the identity will be used later with GSSAPI