Krb5LoginModule's cleanState() has not clean all temp info. In the case of using tryFirstPass=true, this means if the password given in the sharedState is not correct, the encryption keys generated from the wrong password will not be cleaned before the second try. On the other hand, the class simply uses the existence of the keys to determine if they need to be generated again. Hence even if the correct password is provided in the second try, it will be never used and the authentication will always fail.