I'm having trouble understanding this report.  In the case you're seeing, 
is kg_compose_deleg_cred being called from kg_impersonate_name (from 
krb5_gss_acquire_cred_impersonate_name, S4U2Self) or from 
create_constrained_deleg_creds in accept_sec_context?

In either event, the phrase "impersonated TGT" is confusing me further.  
S4U does not create impersonated TGTs as far as I know, only impersonated 
service tickets.