The users getting a 23791 were just about all dial-up users. We have a global dial program with MCI and we limit where people can go when then dial-up. (Basically we want them to connect to us, so we restrict their dial access to our public network only. This way they are forced to login to VPN, which then allows them back out to the Internet, but all activity is tracked by our URL Filtering and Reporting system.)
The problem was that during login, clients were going out to crl.verisign.net to check the status of the certificate. Our dial policy didnt allow them to get there which is why they got 23791. By the way, 23791 almost always means something is being blocked. JTac found 2 IE Settings they believe were causing the issue.
In IE, under Internet Options, Advanced, there are two options that were making this happen:
Check for publisher's certificate revocation.
Check for server certification revocation (requires restart)
To be safe we allowed all verisign.net networks in our dial-ip profile rather then shut these options off.
This resolved the majority of our problems. I still have about 20-30 users who are having weird issues. Specifically, Notes Replication, and trusted authentication simply does not work. These are very clean machines with stable Internet Connectivity. In the traces we see a variety of retransmissions that do not occur on our Nortel COntivity VPN, from the same client and ISP. To rule out conflicts we completely uninstalled Contivity and reinstalled Network Connect. The issues persisted. These same users worked just fine on previous versions of NetConnect. If anyone else has experienced retransmissions or problems with Trusted authentication please let me know.