Looks like the CFX spec is changing.  The unknown token id support
(including the returned CONTINUE_NEEDED status and KRB-ERROR token) is
likely to be going away, and in its place, the so-called "checksum" in
the AP-REQ will have an extension field after the Flags or Delegation
fields, which a plain CFX (i.e., not newer than CFX) server must ignore.