If someone gets added to a new group then doesn't refresh their Kerberos ticket for some time, it can take a certain amount of time longer than normal replication.
The user logs in and we take the user's pac from their current Kerberos creds. We then get a list of all of groups sids from their pac and compare it against the access control groups sid, if there is a match we return match. The issue could be from not renewing their creds on the windows machine before attempting to log into the Apache machine with MAV on it.
1- lock and unlock the windows desktop to get a new Kerberos ticket.
2 - Then try logging into the apache with MAV on the machine.