When clients attempt to log on using the NT logon plug-in, they may be refused with a message saying the domain controller is unavailable. This may also be accompanied by unusual Kerberos errors in the event log, including a mention of KDC_ERR_BADOPTION.This can occur due to the emulation of NT4-style domains in a Windows 2000 or later Active Directory domain if the delegated NT4 authentication system is unavailable or cannot contact the AD domain controllers.

A good workaround is to switch to the Pharos Active Directory LDAP plug-in and bypass the NT4 system. Contact Pharos Support to obtain this plug-in.