Event 4768 for one user

Event ID 4768 with Result Code 0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) indicates that the Key Distribution Center (KDC) could not locate the client principal specified in the Kerberos AS-REQ. Although this often means "user not found", it can also occur when the account exists but Kerberos is receiving an unexpected or incorrect identity.

Since the user was able to log on previously and this started only recently, I would check the following:

Verify the account actually exists on the DC processing the request

Get-ADUser username

Also verify:

Account is enabled

Account has not expired

UserPrincipalName (UPN) is correct

sAMAccountName hasn't been modified

Check which Domain Controller is handling the authentication

If only one DC returns Event 4768 with 0x6, compare AD replication:

repadmin /replsummary

repadmin /showrepl

dcdiag /test:Advertising

A replication issue could cause one DC to have stale directory information.

Verify the workstation is using only AD DNS servers

Incorrect DNS (public DNS, stale records, VPN DNS, etc.) can cause the client to contact the wrong KDC.

ipconfig /all

nltest /dsgetdc:<domain>

Look at the 4768 event details

Pay particular attention to:

Client Address

Target User Name

Supplied Realm Name

Certificate Information (if Smart Card authentication is used)

Sometimes the client is actually sending an incorrect UPN or realm.

Check for duplicate UPNs

A duplicate UPN can also cause Kerberos lookup issues.

Get-ADUser -Filter * -Properties UserPrincipalName |

Group-Object UserPrincipalName |

Where-Object Count -gt 1

Test with another workstation

If the user can authenticate from another computer, the problem is likely local to the original workstation (cached credentials, Kerberos cache, DNS, or machine secure channel).

You can also clear the Kerberos cache:

klist purge

or verify the secure channel:

Test-ComputerSecureChannel -Verbose