When a computer joins a domain, a computer account is created in AD. The computer account gets its own password that will expire after 30 days (default). When the password expires, the computer itself will initiate a password change with a DC in its domain.
When the computer starts up, it uses this password to create a secure channel (SC) with a DC. The computer will request to sign all traffic that passes the SC. If a DC says “go ahead”, all traffic that is signed passes through this channel.
Traffic like NTLM pass through authentication is typically signed traffic.
So what happens if there is a mismatch between the computer account password? The computer tries to authenticate, but the DC says this is not the correct password.
The SC is down.
To reset the SC between a computer and a DC:
Open PowerShell on the local computer with the broken SC and run the cmdlet:
Test-ComputerSecureChannel -repair -credential (Get-credential)