Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.507 (Entity 5.507)
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 656

One more issue I neglected to note:

* In the TGS part of a S4U2Self request, when multiple TGS requests are 
required due to cross-realm, to be consistent with Windows clients, 
only the first request should present the certificate; later requests 
should present the client principal obtained from the PA-FOR-X509-USER 
padata in the first TGS response.

I will also note here that, per Isaac's investigation, the Windows LSA 
API will extract a UPN SAN from the client certificate and use that 
enterprise principal in preference to the certificate.  To do the same 
we would need certificate-parsing code or an OpenSSL dependency in the 
S4U2Self code.