I've been using the collateral from the link referenced in my post 2017-07-06. While I've made progress, a working configuration eludes me. The latest hurdle involves not having enough detail in the Web Agent and Policy Server trace logs to be able pinpoint the issue. Here are sanitized extracts from my log files:
WebAgentTrace.log
[09/14/2017][13:11:05][20714][4104148736][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][0000000000000000000000008edae590-50ea-59bac639-f4a05700-0b2b1eab9e8c][*192.168.219.107][][hostname-apache-agent][/cgi-bin/dump-headers-kerberos.pl][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
[09/14/2017][13:11:05][20714][4104148736][SmAgentAPI.cpp:2698][Sm_AgentApi_Login][][][][][][][Enter function Sm_AgentApi_Login]
[09/14/2017][13:11:05][20714][4104148736][SmAgentAPI.cpp:2698][Sm_AgentApi_Login][0000000000000000000000008edae590-50ea-59bac639-f4a05700-0b2b1eab9e8c][myusername@ADLAB.DOMAIN.NET" rel="nofollow" target="_blank">http://hostname.adlab.domain.net:8080][][hostname-apache-agent][/cgi-bin/dump-headers-kerberos.pl][myusername@ADLAB.DOMAIN.NETmyusername@ADLAB.DOMAIN.NET][]
[09/14/2017][13:11:06][20700][3625666368][SmAgentAPI.cpp:4879][Sm_AgentApi_DoManagement][][][][][][][Enter function Sm_AgentApi_DoManagement]
[09/14/2017][13:11:06][20700][3625666368][SmAgentAPI.cpp:5099][Sm_AgentApi_DoManagement][][][][][][][Leave function Sm_AgentApi_DoManagement]
[09/14/2017][13:11:07][20714][4104148736][SmAgentAPI.cpp:2927][Sm_AgentApi_Login][][][][][][][Leave function Sm_AgentApi_Login]
[09/14/2017][13:11:07][20714][4104148736][CSmLowLevelAgent.cpp:1343][AuthenticateUser][0000000000000000000000008edae590-50ea-59bac639-f4a05700-0b2b1eab9e8c][*192.168.219.107][][hostname-apache-agent][/cgi-bin/dump-headers-kerberos.pl][][User 'myusername@ADLAB.DOMAIN.NET' is not authenticated by Policy Server.]
smtracedefault.log
[09/14/2017][14:11:07][3889421168][][][][][][][][][][][][][][Failed to validate user myusername@ADLAB.DOMAIN.NET: Minor Status=-1765328240, Major Status=851968, Message=Wrong principal in request][][][][][][][][32045][SmAuthenticate][][][14:11:07.275][][][][][][][][][][][][][][][][][][][][][][][][][][][][][smauthkerberos.cpp:442]
I've done my best to maximize the level of logging in both files. The web agent trace does not identify the principal in the ticket sent to the policy server, and the policy server does not indicate what principal it received from the web agent or what principal it expects to see. I have also obtained a Wireshark trace between the web agent and the policy server, but all traffic between those two components regarding Kerberos tickets is encrypted and cannot be inspected.
Are any techniques available to obtain more detail regarding why the policy servers flags "wrong principal in request"?