Kerberos and macOS: kinit unable to reach any KDC in realm AD.DOMAIN.COM, tried 10 KDCs

In our organization, we have 25 Active Directory Domain Controllers. For our big sites, we have 2 DC per site. We have about 50 MacBooks, with the rest being Windows laptops that doesn't have the same issue at all. Users sometimes move from one site to another one so we can't just force one or two DC. In our organization, LDAP and Kerberos protocols are blocked by firewall except to the site Domain Controller. I'm trying to configure **Kerberos SSO Extension** through Airwatch but unfortunately I can't log in with my credentials. So I tested manually with kinit and I saw this: me@MAC ~ % kinit me@SUB.AD.DOMAIN me@SUB.AD.DOMAIN's password: kinit: krb5_get_init_creds: unable to reach any KDC in realm SUB.AD.DOMAIN, tried 10 KDCs I checked on our firewall and I saw that it tried to connect to 10 differents DCs but not the good one, and since it says "tried 10 KDCs" I can only conclude that it didn't tried the one I want it to use. MacBooks aren't bound to the AD and are used with local account. My question is, is there a way to make Kerberos try ALL the KDCs in the realm and not just 10 ? If so, is there a way to set it in the Airwatch profile I made? Or is there a way for macOS to understand which in site they're located in and connect to the right Domain Controller instead of trying 10 bad DC on the list then give up trying? Of course the easier would be to just open the firewall let all LDAP / Kerberos packets pass through, I tried and it worked, but we don't want to do that for security reasons. Considering how specific this question is I don't have a lot of hope but hey ... never try never knows.