Microsoftcgaurav20: In our case, only a few users were affected. A new user (Not copied) can be created for testing.
If the new user has no problems, it is probably the AES128 and AES256 bit options under <UserObject>->Account-> Scroll down a little.
We have not modified any policies to solve the problem.
I have testet in a VM once for the user "msDS-SupportedEncryptionTypes" is set the problems appear until option is reverted.
You can check with:
Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes | ft msDS-SupportedEncryptionTypes, name, UserPrincipalName -AutoSize
The eventlog will show the entries as soon as one affected users does anything with kerberos...
If you see Tickets (elevated cmd) "klist –li 0x3e7"
But none (non-elevated cmd) for "klist"
It's likley to be a user problem.
I suspect that the options in the user object from the bitmask still contain the old disabled protocols. However, this is only a guess.