How OS X uses login names to generate Kerberos tickets

AD users have two valid names that can be used for authentication: the login name and the "pre-Windows 2000", or "short" name. 

OSX recognizes both of these as valid, however in order to have a Kerberos ticket granted the user must login with the short (pre-Windows 2000) name.  Login attempts using the long name or domain\username will not be granted a Kerberos ticket.