I'm not sure this is the right place to go, but since Kerberos is involved I'll give it a shot.
The problem: A number of disabled user accounts are generating Event ID 4768 Kerberos Authentication Service faulure events.
A Kerberos authentication ticket (TGT) was requested.
Account Information:
    Account Name:        <account>@<nt domain>
    Supplied Realm Name:    <fqdn>
    User ID:            NULL SID
Service Information:
    Service Name:        krbtgt/<fqdn>
    Service ID:        NULL SID
Network Information:
    Client Address:        ::ffff:<internal ip/sharepoint wfe>
    Client Port:        62369
Additional Information:
    Ticket Options:        0x40810010
    Result Code:        0x6
    Ticket Encryption Type:    0xFFFFFFFF
    Pre-Authentication Type:    -
Certificate Information:
    Certificate Issuer Name:       
    Certificate Serial Number:   
    Certificate Thumbprint:       
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
The client address above that is generating the events is one of two SharePoint 2010 web front end servers (and always the same one.)
Around the same time, the IIS web application pool account generates Event ID 4769 Kerberos Service Ticket Operations failure events.
A Kerberos service ticket was requested.
Account Information:
    Account Name:        <app pool svc account>@<fqdn>
    Account Domain:        <fqdn>
    Logon GUID:        {00000000-0000-0000-0000-000000000000}
Service Information:
    Service Name:        <app pool svc account>
    Service ID:        NULL SID
Network Information:
    Client Address:        ::ffff:<internal ip/sharepoint wfe>
    Client Port:        62367
Additional Information:
    Ticket Options:        0x40810000
    Ticket Encryption Type:    0xFFFFFFFF
    Failure Code:        0x1B
    Transited Services:    -
This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
The failure codes aren't particularly helpful (I believe both translate to disabled/invalid account) and I am unsure how to capture more comprehensive information.
There are about 2 dozen accounts that exhibit this behavior, and it always occurs around the same time every morning (~3:30 AM).
My initial thought is that what is actually going on is the users had originally linked SharePoint calendars through their Outlook and that Exchange is, for whatever reason, trying to keep that information channel alive.  In typing that out, I'm not convinced that's a good explanation.
Any thoughts on how I might drill further into this would be incredibly helpful.  Thanks!
Phil