If you obtain a Kerberos service ticket to an account and present it to the KDC to perform constrained delegation, but that account has changed its password in the meantime, the KDC will not be able to decrypt the service ticket. This affects Group Managed Service Accounts, which periodically have their passwords rotated.
(In reply to Jo Sutton from comment #0) Why? The key should be identified by kvno in order to get the one for decryption...