One more issue I neglected to note:

* In the TGS part of a S4U2Self request, when multiple TGS requests are 
required due to cross-realm, to be consistent with Windows clients, 
only the first request should present the certificate; later requests 
should present the client principal obtained from the PA-FOR-X509-USER 
padata in the first TGS response.

I will also note here that, per Isaac's investigation, the Windows LSA 
API will extract a UPN SAN from the client certificate and use that 
enterprise principal in preference to the certificate.  To do the same 
we would need certificate-parsing code or an OpenSSL dependency in the 
S4U2Self code.