Environment: clients are mostly XP/SP3; client in question is Win7Ult (newer machine); this Win7 client had MS Security Essentials installed just prior to travel, a full scan was run, and all updates applied. servers are : PDC is Server3003SBS, two servers are Server 2003, one server is Server 2003 R2 single forest/domain, no centralized management of clients... Environment is as I inherited it. It's pretty kluged right now, but I'm slowly polishing it... My problem - Win7 client in question had no problems authenticating to domain 1 month ago. user then traveled overseas. when he came back last week, he was able to authenticate to the domain the very first time he attempted to logon, but the next morning began getting the message "The security database on the server does not have a computer account for this workstation trust relationship" Not understanding this problem, I began basic account troubleshooting procedures. I reset his pw first. I had him attempt to logon using the reset password. This was successful, and a pw reset was asked for, as I had set it. He successfully set a new pw, but then the same message came up immediately afterward - "The security database on the server does not have a computer account for this workstation trust relationship". After this, we were unable to access even local accounts on this computer. Local accounts with known userid/pw combinations are now denied with a message "The user name or password is incorrect". Even the local and domain Administrator accounts are denied with the above message (which tells me I am at least communicating with the PDC...) I have scoured technet looking for examples of this problem and solutions. I have tried several, with no success. I insured time was synchronized between the client BIOS and my PDC. The Win7 computer was originally not showing up in the Computers listing after this problem started, but it did show up in the Foreign Security Principals listing. I moved it back over to Computers, and reset the account. I have tried deleting it and manually re-adding it, no change. I am more a network guy than an MS guy, but not completely clueless. I can navigate regedit and the Group Policy Editor, and other maintenance consoles. Any and all help appreciated.

Doing my own further research, and after configuring logging of all login and logout activity, I found the following: The TGT process is failing with Kerberos error codes 0x19 and 0x25. The 0x25 indicates KRB_AP_ERR_SKEW "Clock Skew Too Great". This is something that I had already addressed in the client BIOS, though I have no idea whether W7 is modifying this to a different time zone and/or daylight savings time. The 0x19 indicates KDC_ERR_PREAUTH_REQUIRED "Additional pre-authentication", which I can assume is due to either a misconfiguration within/between the Win7 client and my Server2003SBS PDC, or the aforementioned 0x25 time skew error. The event ID associated with the above two event logs is 675. I reckon it's time to break out my kerberos resources and RTFM.

Additionally, I just completed cycling through all 24 hours in BIOS, trying to see if I could find the magic time setting in the OS. Login attempts still failing. The user admitted that he had changed the time zone settings depending on where he was at (AUS, Los Angeles, elsewhere), though I still am not sure if this is the cause. Reading everything I've got, frantically. I fear the solution will be something so basic that I'll have to go back to digging ditches out of shame... ...is there no one out there who has any insights about this problem?