In the current implementation of HTTP/SPNEGO feature, the code performs a Krb5LoginModile.login() before any negotiation process. However, any kind of login (including Kerberos 5 and others) should only be started if the underlying GSS calls request it. There may be two kinds of errors here:

1. GSS does not request Kerberos 5 login but we call it
2. GSS may require another mechanism, but have no choice to get a credential for it.