Java Kerberos has a full implementation on acquring initial TGT, other TGTs, and service tickets. In the standard mode, username and password are needed to retrieve the initial TGT, and for all the other tickets, only the TGT is needed.

For the sake of single sign-on, it will be ideal if the user is only prompted for his/her password only once during the whole session. Therefore, if the operating system already has the intial TGT saved in its native credentials cache (ccache), Java should always try to use it. We now already support the file based ccache on *nix and the LSA in-memory cache on Windows.

There're more sort of ccache now. For example, Mac OS X uses an in-memory ccache of API type, and various Linux systems can be configured to use the keyrings as ccache. We should supoort them also.
There is an extra bug in the current implementation of Credentials.acquireTGTFromCache(name, null):

On a Windows system, when there are both FILE ccache and LSA ccache, but the client principal name for the ccaches are different. Say, alice in FILE ccache and bob in LSA ccache, then

    Credentials.acquireTGTFromCache("bob", null)

will return null. This is because the first TGT found in the ccaches is returned, and then compared to the name given. It would be better that the comparation is performed inside each ccache.