Note, for MIT I think we don't need the NonForwardableDelegation flag, just need to behave as enabled and let the plugin's get_principal() add 'TrustedToAuthForDelegation' if the list is empty. This could simplify the KDC code as we don't need to check the PAC's not-delegated flag, although some tests would need updating.