A Bug in Kerberos used by Java's HTTP
By Weijun on Feb 28, 2014
A web page that is behind "Windows Authentication" is in fact protected by Kerberos and NTLM, and is accessible whichever auth scheme a client supports. In JDK 7, Kerberos works out-of-the-box on a Windows machine that already joins a domain (well, not exactly, see below), so it's always tried first. However, without the allowtgtsessionkey registry key being set, Java still needs a password to login. There is no way to get this password (unless you program JAAS directly) so Java tries the empty password. Obviously, the KDC (Windows domain controller) does not like it and blocks the user if it's tried multiple times.
The thread mentions the .java.login.config trick. When Java wants to use that file but cannot find it, it just fails without trying to login at all. The bug report mentions that disabling kerberos pre-authentication is also a workaround. In this case, no encrypted timestamp is sent so the KDC has no chance to know the client does not have the correct password.
In all these cases, Kerberos always fails and Java falls back to NTLM and the web page is still reached. However, the terrible thing about the empty password case is that you can read the page when you first access it, but if you access it again and again, your account is finally blocked and even NTLM does not work anymore.