tracking. I am getting the same error too.

I wanted to share that we identified the issue for us and resolved it. I suspect our issue will not be the same as yours but maybe helpful.

The error being given is generic in which basically authentication failed to get back what it expected. In our case we had retired two domain controllers but never removed them from our domain dns. When VMware sent to AD to authenticate it would work on a live IP but give the error we are reporting on a dead IP. 

The solution for us was to clean up our DNS and the issue resolved. 

In testing we verified the issue was the same on each supervisor node local authentication always worked, domain authentication sometimes worked and sometimes failed. 

While I was on the call the technician said he also helped another user who was reporting the same issue. In that users case he had a group which he was part of that had multiple @ signs in the name like a distribution list. This also caused the authentication to fail and spit the error.

hope this helps you identify the root cause. 

my issue is that I have an underlying NSX-T issue this is breaking DNS. 

Just going to put this out there incase you have not checked. When I first built out tanzu from vsphere it successfully deployed, however, I had multiple strange issues. These issues were resolved by making sure jumbo frames end to end were setup. Could be completely unrelated but nsx-t requires packet sizes of 1600 slightly larger than a normal package.

anyways I was surprised I could successfully deploy without jumbo frames and it would kind of work most of the time. 

Thanks for the tip!