AD: No TGT after logon

I’m investigating a domain where logon does not seem to produce a TGT.

After logon with a test account, klist tgt outputs this:

Current LogonId is 0:0x71647be1
Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket substatus): 1312

klist failed with 0x8009030e/-2146893042: No credentials are available in the security package

I. e. the same output you get on a non-domain member. However, the hosts are definitely joined just that they seem to fall back on NTLM to authenticate to services. DNS is set up correctly. In fact, it is possible to obtain service tickets manually using klist get $SPN, even without being asked for preauth credentials. So Kerberos as such seems functional, just that applications like IE refuse to use it.

Likewise, klist tickets yields zero cached tickets. klist sessions spits out errors of the form “Error calling API LsaGetLogonSessionData on LogonId”.

Any ideas what could be the cause of this? Suggestions what I should check?

This is not a domain I have control over. The behavior is the same when logged on directly to the machine and when connecting through RDP. Note though that apparently this domain has grown over decades, probably even goes back to an NT4 domain originally. I wonder whether at some point years ago they disabled Kerberos auth for the whole domain (via GPO?) because it caused interop issues and then forgot about it.