diff --git a/src/share/classes/javax/security/auth/kerberos/KeyTab.java b/src/share/classes/javax/security/auth/kerberos/KeyTab.java
index 631b7d022751a9393ab6c91da43cda2aa8e8534c..db815395e3ac48a0db2bed9d0b6fc20b3a188d42 100644
--- a/src/share/classes/javax/security/auth/kerberos/KeyTab.java
+++ b/src/share/classes/javax/security/auth/kerberos/KeyTab.java
@@ -26,6 +26,7 @@
 package javax.security.auth.kerberos;
 
 import java.io.File;
+import java.security.AccessControlException;
 import java.util.Objects;
 import sun.security.krb5.EncryptionKey;
 import sun.security.krb5.KerberosSecrets;
@@ -214,9 +215,22 @@ public final class KeyTab {
         return new KeyTab(princ, null, true);
     }
 
-    //Takes a snapshot of the keytab content
+    // Takes a snapshot of the keytab content. This method is called by
+    // JavaxSecurityAuthKerberosAccessImpl so no more private
     sun.security.krb5.internal.ktab.KeyTab takeSnapshot() {
-        return sun.security.krb5.internal.ktab.KeyTab.getInstance(file);
+        try {
+            return sun.security.krb5.internal.ktab.KeyTab.getInstance(file);
+        } catch (AccessControlException ace) {
+            if (file != null) {
+                // It's OK to show the name if caller specified it
+                throw ace;
+            } else {
+                AccessControlException ace2 = new AccessControlException(
+                        "Access to default keytab denied (modified exception)");
+                ace2.setStackTrace(ace.getStackTrace());
+                throw ace2;
+            }
+        }
     }
 
     /**