When doing S4U2PROXY, first you get a TGT for yourself.  Then you call
gss_acquire_cred_impersonate_name which gets you what it essentially a
TGT for the identity you're impersonating.  It's this credential which
has an incorrect end time.  Next you use this impersonated credential to
call gss_init_sec_context for the service you want to contact as the
impersonated identity and pass in the impersonated credential.
Gss_init_sec_context uses the impersonated credential to fetch a service
ticket for the service you're contacting.  When it does that it has to
first find the impersonated credential in the credentials cache which
fails because the end time doesn't match.  I reproduced this with some
enhanced GSS sample programs but you should be able to do it with kvno
also.  I get three credentials in my cache, one which is my original
TGT, one for myself for the impersonated user, and one for the target
service for the impersonated user.  Both of the credentials for the
impersonated user have the shorter lifetime and it's the second one, the
one for myself, which it fails to find in the credentials cache when
attempting to get the third one.