I am having a very strange issue regarding ONE user not being properly
authenticated by AD when trying to use our IPSec VPN client.

We use a Cisco VPN 3000 Concentrator for remote access, which in turn
uses Kerberos/AD as it's authentication database. We are running Active
Directory under Windows 2003 R2 (w/SP2). 99% of my users can
authenticate properly using AD. However, exactly ONE of my user's login
is rejected by the IPSec VPN appliance. If I go into AD and disable
Kerberos preauthentication for this one user, the VPN client then
properly accepts his authentication credentials, but once connected he
can't pass traffic over the IPSec tunnel.

I have confirmed this behavior over multiple ISPs and transport
protocols, so the problem definitely resides within his AD account and
possibly a bit that's been incorrectly flipped in his AD user schema?

Any ideas?