If krb5_get_init_creds() gets an error, it will retry the request
against the master KDC.  This doesn't involve any more user interaction,
since the password is cached in a callback structure.  But in the
hardware preauthentication case, a user is asked for their hardware
token multiple times.

The library needs to cache the hardware token information so it doesn't
prompt the user for the token again.