We've got a fairly new Active Directory setup here with a Server 2008R2 domain controller and a number of Windows 2008R2 client workstations. Users are created in Active Directory with a "user mapping" as documented at http://technet.microsoft.com/en-us/library/bb742433.aspx (among other places) to authenticate those users against an external kerberos KDC with all our users' authentication data in it. The trust relationship between the KDC and Active Directory domain controller is established and is able to authenticate users. This is a university environment in teaching labs, and all our users' password data is already on the KDC.
The problem we have encountered is when users set their KDC password and then try to go to a Windows 7 workstation to login. Sometimes, but not always, the user is not able to login.
Most of the time (95%+), running gpupdate /sync will clear up the issue (after reboot) and allow the user to login. In some cases, a second gpupdate /sync is necessary. At the end of this week's lab session (30-45 minutes in length), users who had trouble logging in at the beginning of class were able to login successfully without the gpupdate run.
This looks like a credentials cache issue somewhere, but we have not been able to find the cause.
I have tried enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" policy item to no avail.
Anyone else experience this issue, or know what is the likely cause?