ZENworks Configuration Management 2017 Update 2
With Kerberos set, users can't login.
ERROR (from zmd-messages.log in debug):
[KerberosAuthMechanismHandler]  [Exception Message :System.Exception: Failed to get the client token Return Status : -2146892990
The error -2146892990 is not a ZCM error, but a native Windows Kerberos error indicating a problem with the key.
Confirm if there is a group policy set for Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Network security: Configure encryption types allowed for Kerberos. If so determine which encryption types are allowed.
If there is a restriction , ensure that the setting on the Kerberos principal account used by ZENworks has set Account Properties / Account Options to match. For example "This Account Supports Kerberos AES 256 bit encryption". If the account setting does not match, set it to match. A new keytab will need to be created and added to ZCC after the change. Otherwise this error may be seen:
GSS Exception caught: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] [authtoksvc.Krb5Authenticate$Krb5Token]   [CASA]C