You will need to change your group policy for the users in AD to lock the accounts after x amount of tries. We have this set to 5 attempts.
The mac will attempt to log in with the incorrect details and as it will not connect (if the password has expired) it will prompt you to enter a password. This is when you enter the new password that was created when you logged in (AD will prompt for new password at logon when the password has expired). If you enter the new password and select the remember button the keychain entry will be changed to the new password and you should be good to go.
"I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?"
Yes, there would not be any SGT for the services.