This sounds like the problem with Java 1.4 assuming it know
the “salt” to use for a user, and taking a short cut with the
Kerberos protocol, skipping the first step of asking the KDC for
any pre-auth parameters including the salt assuming it knew the salt.
The salt for DES is the realm concatenated with the principle name
components as of the last time the password was changed. The salt is
concatenated with the password as input to a string-to-key function
to get a key. The client and server do need to use the same salt.

Google for java pre-auth


> Is that possible to specify to the JVM that we want to authenticate
> users with SAM rather UPN, and How ?
> Have you any idea and suggestions, please ?

I believe it is fixed in 1.6