Kerberos extension does not renew ticket automatically

Hi, we are using native Kerberos extension configured within MDM to obtain Kerberos ticket for user and automatically sign-in user to on-premises services like File Shares (CIFS/SMB) or other web applications within Safari. Domain join is not configured itself; the DNS zone is marked as internal and on the same realm as domain itself.

It works well and after the user signs on the device on local network it obtains Kerberos ticket. The ticket itself is limited in lifetime to 2 hours. This is not defined by Active Directory policies which have policy for lifetime for 8 hours.

But what is not working is the renewal of the ticket itself. When a ticket expires, the extension does not ask for renewal automatically and even does not renew when user again access some domain services. There is no communication on the network from client to AD Domain Controllers.

If the user uses kinit command manually, it again receives a valid ticket, and everything works again for the next two hours. What is strange, when user sign in without DC connectivity, and use kinit manually after connecting to network before accessing network/app services with SSO, the ticket is renewed correctly, and device always ask for renewal and normally communicating with AD DC.

Did you encounter such behave? We think that the ticket should be renewed automatically by extension every time after expiration without manual interventions from end users. We have not found what else we can tune inside of AD DC or on macOS side regarding this because all the tickets look same in both cases (we even test on special subnet without firewalls enabled). Just as a confirmation, at the same time Windows works well inside the same domain and renewing tickets fine.