An acceptor finds a key from keytab to decrypt AP-REQ. If there is no exact kvno match we would return a key with the highest kvno (see JDK-7197159). If the key cannot decrypt the message we report an decryption error which usually looks like "Checksum failed". This can be enhanced since the more likely reason is that we don't have the key with the matching kvno. We can consider a better exception message and/or extra debug outputs.