Client reported their VPN was not functional. Troubleshooting revealed nothing wrong with the accounts.  The account in question could be logged on no problem on a local machine.  After verifying all the usual suspects (group membership, device properties, ect), we called the vendor.  The vendor could not explain the issue, and it suddenly stopped failing during the support call.

The issue recurred about a week later, but this time we loaded Wireshark to the domain controller to see what was happening.  We noted the DNS name being requested (and subsequently failing) was _kerberos-master._tcp.<domain name>.  When we reviewed DNS we found this record does not exist. Per Microsoft, this is not a standard resource record created or maintained by Active Directory.

As the name being requested is hard-coded into the device in question, we manually created the SRV records the device was requesting.  We created 1 per domain controller with a name of _kerberos._tcp<domain name>, set the Weight to 100, protocol to _TCP, and port to 88.

The kerberos lookups work now!

How the heck it started working for a period of time remains a mystery....