From network capture, customer saw AS-REP "KRB5KDC_ERR_PREAUTH_REQUIRED" and
"KRBKDC_ERR_PREAUTH_FAILED" when allowtgtsessionkey = 0 for request
krbtgt/DOMAIN to AD server.
With kinit it seems to be working fine for the customer
with latest logs we do not see
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
so the Additional pre-authentication issue is ruled out.
we see a new message :
KrbException: Message stream modified (41)
and the exception is at