Kerberos Ticket Wrong Client Domain

Hello,

we recently switched from a hybrid AD environment to cloud-only using Entra Domain Services. We want clients to be Entra-joined (not Entra-registered) but also have a valid Kerberos ticket to easily access our internal NAS without re-entering login info. The NAS is domain-joined to the new Entra Domain so user login info is synchronized with the domain.

We can successfully Entra-join our devices and a kerberos ticket is fetched. But the ticket contains wrong information. Using klist from the machine, the ticket says Client: ******@new-domain.com @ OLDDOMAIN which of course then fails authentication with our NAS.

Some more infos: (1) The old domain and DomainController aren't active or available anymore, (2) we cleared all OnPremises* attributes for our users and (3) the ticket is correctly issued by the 'kerberos.microsoftonline.com' server. Still, the tickets have the old domain name as the client realm.

As we don't have direct access to Microsoft's Kerberos Server I am unsure how to proceed. We need help fixing this. Maybe the kerberos server still has the old domain cached and is using it as client realm.

Help is appreciated, since this is hindering us to upgrade devices from domain-registered to domain-joined.