LDAPS connections to an Active Directory when enabling Kerberos should validate the server's SSL certificate. The current implementation skips validation checks to help avoid SSL issues; however this is not secure. Also the trusting SSL connection may not support the more secure SSL protocols - TLSv1.2.
A flag in the ambari.properties file (kerberos.operation.verify.kdc.trust) should be available to allow for the user to select either a trusting SSL connection or a validating (non-trusting) SSL connection to be used. The default should be to use the standard (non-trusting) SSL connection.