The JAAS Kerberos Module, which is used inside, has sometimes problems to load the keytab out of the classpath. Esp. in some Java EE containers like Weblogic and JBoss AS. These containers often don't place the classpath directly in the filesystem, and the JAAS Kerberos Module seems to be unable to load from a classpath which is not directly a filesystem path. Spring Security will for example create a URL like: "zip:C:/xxx/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen.jar!/s-j-xxx.keytab", and passes this to the JAAS Module as the location for the keytab, but the JAAS module will then fail with the message: "Key for the principal xxx@DOMAIN.COM not available in ..._wl_cls_gen.jar!/s-j-xxx.keytab".
A solution is, to place the keytab outside of the classpath and specify the direct path in the Spring config, like "file:C:/etc/keytab-test_example_com.keytab". As the keytab is always specific to one host and also needs to have special protection, it shouldn't be placed in the classpath at all.
The JAAS module also seems to have problems when the path contains whitespaces.