A new Enforce server has been built.
Kerberos has been enabled.

When they try to log into the console with their AD user name, it fails saying "Invalid Username/Password or Disabled Account".
Only the built in Administrator account is able to log into the console

The localhost log has the following warning:

Level: WARNING
Source: com.symantec.dlp.login.spring.SymantecKerberosAuthenticationProvider
Message: Kerberos authentication failed: user='<AD user name>':Kerberos authentication failed

The log also contain this entry:

"Caused by: KrbException: no supported default etypes for default_tkt_enctypes"

The new Enforce server is running OpenJRE 8u402.

Kerberos authentication will fail with OpenJRE 8u402 (OpenJRE 8u391 and higher) if the krb5.ini (Windows) or krb5.conf (Linux) file has the following deprecated/obsolete cipher suites, etypes:

default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5

This issue is due to JRE disabling 3DES and RC4 from Kerberos.

The deprecated etypes must be removed from the krb5 file.

Check with your AD team to see what etypes they are using and input those etypes into the "default_tkt_enctypes" and "default_tgs_enctypes" lines in the krb5 file.
Once the krb5 file is updated and saved, restart the Enforce services.

See the related KB 160250:

Error: "AD authentication fails - KDC has no support for encryption type"