An end to the continuing tale of the windows domain controller behind a
firewall which I mentioned twicebefore.
Finally I can log in with a reasonable speed. Kerberos over UDP (88/udp) was
failing and I could not find out why because test traffic to port 88/udp
made it. Peering long and hard at the wireshark dump I saw UDP fragmentation
happening, but those fragments did not show up at the server.
Another google search found How to force Kerberos to use TCP instead of UDP in Windows with the right
registry key to force the client to use TCP, which fixed it. Finally.