Attention: this item is more than 5 years old, links can be broken and information can have been updated.
An end to the continuing tale of the windows domain controller behind a firewall which I mentioned twice before. Finally I can log in with a reasonable speed. Kerberos over UDP (88/udp) was failing and I could not find out why because test traffic to port 88/udp made it. Peering long and hard at the wireshark dump I saw UDP fragmentation happening, but those fragments did not show up at the server. Another google search found How to force Kerberos to use TCP instead of UDP in Windows with the right registry key to force the client to use TCP, which fixed it. Finally.