Novell Client 2 SP3, Win 7 x86 domain joined

For majority of users all works OK, user logs in to Novell eDir,
authenticate to AD (eDir & AD are in sync via IDM). All good

But for few users sometimes user log in fine with Novell & then Windows
authentication does not get passed, but Windows stays at login

user types the SAME password as per eDir (which IS the correct AD password
as well) one more time & login continues fine

Any idea why that would be happening?