We have track the user with the problem but we see no difference between the that working and which that not working.
> isolate the full negotiate stack
What you means with this?
> It's very likely that the error is simply correct, the user logging in doesn't have the right creds.
Which rights are needed? I would expect a login failed or a login as guest like if the user name is wrong. Token invalid sounds like the token was corrupted on transfer.