Current JGSS implementation does not allow to use of non-forwardable S4U2self tickets.
The application fails with an exception caused by
KrbException: S4U2self ticket must be FORWARDABLE
        at sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(CredentialsUtil.java:105)
        at sun.security.krb5.Credentials.acquireS4U2selfCreds(Credentials.java:495)
        at sun.security.jgss.krb5.Krb5InitCredential.impersonate(Krb5InitCredential.java:395)
This exception was added as part of JDK-8022582 [1] and exception is thrown for every non-forwardable S4U2self ticket

However, according to Microsoft spec [2] KDC marks S4U2Self ticket as non-forwardable in case of trustedToAuthForDelegation is false and msDs-AllowedToDelegateTo list is nonempty.

In this case, SFU client should not fail but locate DS_BEHAVIOR_WIN2012 DC to send the request [3]

[1] - http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/ae6449bc523f#l3.17
[2] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
[3] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960