The account name is used as salt in generating keys in Kerberos. If the client provides a case-insensitive account name (say, dummy -> DUMMY) at login time, the server informs the client the correct salt so that the login still works fine.

There are two channels for the correct salt to be sent to client:

1. In KRB-ERROR to the first AS-REQ, if preauth is required but not sent
2. In AS-REP to the first (or second) AS-REQ

Currently Java supports the 1st one, which means, if the server has turned preauth requirement for a client off, the client cannot decoded the correct salt, and generates a wrong key, which results in a "KrbException: Integrity check on decrypted field failed (31)".

We need to support the 2nd option as well. In fact, that is the recommended option in RFC 4120. In the following section, we can see the KRB-ERROR is used to provide enctype info, and AS-REP used for salt info.

5.2.7.5. PA-ETYPE-INFO2

   The ETYPE-INFO2 pre-authentication type is sent by the KDC in a
   KRB-ERROR indicating a requirement for additional pre-authentication.
   It is usually used to notify a client of which key to use for the
   encryption of an encrypted timestamp for the purposes of sending a
   PA-ENC-TIMESTAMP pre-authentication value. It MAY also be sent in an
   AS-REP to provide information to the client about which key salt to
   use for the string-to-key to be used by the client to obtain the key
   for decrypting the encrypted part the AS-REP.

Besides PA-ETYPE-INFO2, PA-ETYEPE-INFO and PA-PW-SALT can also be used in suggesting correct salt.