petesea@bigfoot.com via RT wrote:
> I have a theory.... I think the difference has to do with if the Identity 
> exists or not... meaning it's defined in the registry.  If the Identity 
> does NOT exist, which will be the case if the password is disabled the 
> first time the NIM sees the principal, then I think you'll see the 
> behavior I describe.
> 
> I'll send a Word doc with screen shots directly to your other email 
> address... not sure how well your RT system handles attachments... I know 
> OUR RT system doesn't handle them very well.

I've already tested this theory by creating new principals in the KDC
and expiring the passwords on creation.

Having received the zip file from you I'm suspecting that the issue is
the error code returned by the KDC.  I think it is different in your
revision of the KDC than the one I am running.