The extensions.client file in pkinit.rst creates a single-principal SAN, 
even if the CLIENT environment variable is set to a value containing 
slashes.  If the resulting certificate is used with a multi-component 
client principal, the KDC will deny the request with a client mismatch 
error (without enough detail in the logs; see #7938).

The documentation should explain this and should explain how to modify 
extensions.client to create multi-component principal SANs.