Sorry, the negotiate protocol just reflects it is a kerberos authenticated request, which is correct.
I believe what is below is at least part of the problem, or at least provides more color around the issue.
Failed to authenticate with http/_HOST kerberos principal, trying with hive/_HOST kerberos principal
The hive principal also fails. Since knox impersonates a real LDAP user, my assumption is that the real issue is that something is mismatched between knox and hive. However, this was all configured through the Ambari wizard.
This may not be related, since this appears to be thrown only for the two principals (HTTP and HIVE). It seems to progress past this point, as my request headers are printed farther down in the log for the offending session.