@AZADMIN Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
The reason for waiting for several hours before rotating back to kerb1 is to ensure that any cached credentials or authorization tokens that were issued using the old password have expired.
When a client authenticates to a domain-joined Azure Files SMB share, it obtains a token that contains an encrypted copy of the account's password. This token can be cached locally and used for subsequent authentication attempts, which can lead to issues if the password is changed during an active session.
By waiting several hours before rotating back to kerb1, you give the clients enough time to refresh their tokens and ensure that they are using the new password. This helps to prevent issues with authentication failures or unexpected behavior due to cached credentials.
It is also worth noting that the specific duration of the waiting period may vary depending on factors such as the size of the domain, the number of clients, and the length of time that tokens are cached. Therefore, it is a good idea to monitor the system and ensure that all clients are able to authenticate successfully before rotating back to kerb1.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.