AD delegated authentication but other way around

I have managed AD in the cloud and want to delegate authentication to Okta. For example I’d like to be able to run “kinit”, verify my Okta credentials, and get a Kerberos ticket. All of the AD/Kerberos documentation seems to delegate the other direction. Is this a supported configuration?

This forum is focused more on our developer focused products. For questions related to Active Directory, I would recommend asking your question in our main community forum

Thanks! It turns out this configuration is supported via the Okta Agent w/password sync. I do have a more developer focused question now:

Is it possible for a web application to obtain Kerberos tickets from an integrated AD for users authenticated via Okta SSO? Ideally we would be able to access kerberized backend resources without making the user enter their credentials again - one solution is to switch our web application to use SPNEGO instead of Okta but that’s not as nice of an SSO experience for users.