In testing Vista SP1 in our Windows AD Forest (in which account are
mapped to our MIT realm), I believe that we're seeing the same problem
that was reported on the Heimdal mailing list in October 2007; see the

and also

Anyone know if there's been a fix for this since 1.4.3 plus CITI
referrals patch, or if 1.6 is immune to the problem? Although there is a
circumvention for a Vista SP1 client (new registry key), a KDC-side fix
is preferable.