This is the case, for example, if the domain controller uses a certificate based on the default Domain Controller certificate template. This does not contain the extended key usage for "Kerberos Authentication". The same applies to the deprecated Domain Controller Authentication certificate template.