Finally, a resolution. The guest user in the ldap database is not in the “users” group, which it has to be to be able to impersonate knox. As soon as I added a user to Active Directory with the correct name and in the users group, and then pointed knox to use this, all was well.
The moral of the story is, don’t use the starter LDAP database to test Kerberos, and don’t be afraid to add debug statements to the code, at least in test. I honestly don’t think I would have figured this out without doing the latter.