I'm assuming you are not using NTLM (Windows Domain Membership) to perform the group lookups.
This is happening because of the LDAP lookup you perform after doing kerberos authentication.
If you rely on MWG to lookup the groups using NTLM (WDM) instead of LDAP you will not have this problem. Read this part: https://community.mcafee.com/docs/DOC-2682#Get_groups_with_NTLM_new_as_of_72
Otherwise, you can store the username before you do the LDAP group lookup, and then restore it after the LDAP lookup takes place.
Most customers will implement the NTLM fallback as described in the guide because not all browsers/applications play well with kerberos. This will also help with the transition.
Thanks Jon, that did it.
For our primary proxy environment, we're going to use NTLM to get the groups.
For a remote site (Chennai) we're going to have to use LDAPS due to some routing and DNS challenges we have there. For that I'll save the user ID in advance of the LDAPS call.