Is it possible to use Kerberos over TLS through sssd?
Solution 1:
What you want to achieve with RFC 6251 is not possible with MIT Kerberos as there are no plans to implement this scheme. However, since MIT Kerberos 1.13 there is support for proxying Kerberos over HTTPS by supporting the same protocol that Microsoft's Active Directory does support, MS-KKDCP. The client side for MS-KKDCP was backported to RHEL 7 as well (https://rhn.redhat.com/errata/RHSA-2015-0439.html).
The functionality depends on ability to proxy Kerberos traffic by the clients. SSSD running on RHEL 7/CentOS 7 should be able to do so. Amazon Linux does not have this version of Kerberos library, I think, so your approach would not work.
In addition, Amazon's Simple AD is Samba AD built with Heimdal kerberos. It is also not supporting MS-KKDCP, so cannot be used as a MS-KKDCP proxy.