OpenAFS, Win2K/XP, MIT KDC, help needed

[Scott Ehrlich]

We have "test/pre-production" MIT KDC and OpenAFS servers setup.  I have a
well-used XP laptop which properly authenticates to the KDC and gets me
AFS tokens.  It is not part of a domain - just the Kerberos Realm as the
domain.

I also have two Win2k hosts, one newly-built just for Kerb/AFS testing
with SP3, the other a production machine with SP4, both with proper time
syncing and proper date stamps, both configured the same way, only part of
a workgroup with just the Kerberos Realm as the domain.  When I use either
Win2K SP3 host to try and authenticate to the MIT KDC, the KDC log shows a
ticket being sent, but the 2K hosts both give me immediate error messages
asking me to check my username and password, to ensure I have entered them
correctly.

Everything works fine with Pre-Auth enabled, but both Win2K and XP break
with no Pre-Auth.

I've found some very good threads on comp.protocols.kerberos, with other
people having similar problems, but no obvious nor clear idea of how to
fix the authentication/login Win2K problem.

Any ideas/suggestions would be most helpful.

Thanks in advance.

Scott