SSO through SSH on Red Hat 7.2

I've been using Centrify Express 2015 on my Linux (CentOS, Ubuntu, Amazon Linux, etc.) systems for the past year to bind them to AD.  Users are able to SSH into their Linux VMs via SSO using the Kerberized version of putty and selecting "Attempt Kerberos auth..." and selecting the UPN as the Auto-login username.  It's been create, very simple and it just works :-)

I have a project spinning up that is using RHEL 7.2.  I noticed there was an updated version of Centrify Express that supports this version, so I downloaded and installed Centrify Express 2016 Update 1 installed on a few RHEL 7.2 test VMs.  I am able to join the systems to AD and login with a username/password without issue.  When I attempt attempt to open SSH to one of these test VMs from my terminal server using the kerberized version with "Attempt Kerberos auth..." enabled and selecting the UPN as the Auto-login username I see a message like this:

Using Kerberos authentication
Using principal user-da@child.domain.me
Got host ticket host/servername.child.domain.me@CHILD.DOMAIN.ME
login as user-da@CHILD.DOMAIN.ME

Kerberos authentication failed.  Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD

 I've verfied DNS is setup correctly (forward & reverse lookups match) and the SPN attribute of the associated computer object is populated:

nfs/servername.child.domain.me
nfs/servername
http/servername.child.domain.me
http/servername
host/servername.child.domain.me
host/servername
ftp/servername.child.domain.me
ftp/servername
cifs/servername.child.domain.me
cifs/servername

Adinfo shows that I am connected to AD and adquery user finds the user if I use the UPN or the Samaccountname:

[ec2-user@servername ~]$ sudo adinfo -aV
Options:
-------
task: all
domain: null
output: null
additional paths: null
user: null
using user's credential cache: Yes
allow password prompt in kerberos get init credential: Yes
user's credential cache: FILE:/tmp/krb5cc_cdc0_Ecu27b
server: null
Local host name: servername
Joined to domain: child.domain.me
Joined as: servername.child.domain.me
Pre-win2K name: servername
Current DC: dc02.child.domain.me
Preferred site: CHS-Core
Zone: Auto Zone
 Retrieving site information from site=any, server='dc02.child.domain.me'
 Using machine credentials
 Using principal name 'servername$@CHILD.DOMAIN.ME'
 Binding to child.domain.me, cache=MEMORY:0x120b360
 Searching for (&(samAccountName=servername$)(objectClass=computer))
 in dc=CHILD,dc=DOMAIN,dc=ME
 Found computer account: CN=servername,OU=PROD,OU=Servers,OU=TNM,OU=CHS Programs,dc=CHILD,dc=DOMAIN,dc=ME
Last password set: 2016-09-27 21:33:51 EDT
CentrifyDC mode: connected
Licensed Features: Disabled
[ec2-user@servername ~]$ adquery user user-da@child.domain.me -A
unixname:user-da
uid:1895826512
gid:1895826512
gecos:John Smith DA
home:/home/user-da
shell:/bin/bash
auditLevel:AuditIfPossible
isAlwaysPermitLogin:false
dn:CN=John Smith DA,OU=Domain Admins,OU=Administrators,dc=CHILD,dc=DOMAIN,dc=ME
samAccountName:user-da
displayName:John Smith DA
sid:S-1-5-21-4262317619-3503357892-2585303325-1104
userPrincipalName:user-da@child.domain.me
canonicalName:child.domain.me/Administrators/Domain Admins/John Smith DA
passwordHash:x
guid:5a7b32da-5238-4c42-bfb8-497b704700d5
requireMfa:false
zoneEnabled:true
unixGroups:user-da,denied_rodc_password_replication_,domain_admins,domain_users,igsg_di-rdsfarm_users,igsgcommoncoreserveradmins,igsgisserveradmins,igsgowiserveradmins,igsgserveradmins
memberOf:child.domain.me/Administrators/IGSGServerAdmins,child.domain.me/Sub OU/Common Core/Groups/IGSGCommonCoreServerAdmins,child.domain.me/Sub OU/IS/Groups/IGSGISServerAdmins,child.domain.me/Sub OU/OWI/Groups/IGSGOWIServerAdmins,child.domain.me/DI/EAD/Groups/IGSG DI-RDSFarm Users,child.domain.me/Users/Denied RODC Password Replication Group,child.domain.me/Users/Domain Admins,child.domain.me/Users/Domain Users
[ec2-user@servername ~]$ adquery user user-da -A
unixname:user-da
uid:1895826512
gid:1895826512
gecos:John Smith DA
home:/home/user-da
shell:/bin/bash
auditLevel:AuditIfPossible
isAlwaysPermitLogin:false
dn:CN=John Smith DA,OU=Domain Admins,OU=Administrators,dc=CHILD,dc=DOMAIN,dc=ME
samAccountName:user-da
displayName:John Smith DA
sid:S-1-5-21-4262317619-3503357892-2585303325-1104
userPrincipalName:user-da@child.domain.me
canonicalName:child.domain.me/Administrators/Domain Admins/John Smith DA
passwordHash:x
guid:5a7b32da-5238-4c42-bfb8-497b704700d5
requireMfa:false
zoneEnabled:true
unixGroups:user-da,denied_rodc_password_replication_,domain_admins,domain_users,igsg_di-rdsfarm_users,igsgcommoncoreserveradmins,igsgisserveradmins,igsgowiserveradmins,igsgserveradmins
memberOf:child.domain.me/Administrators/IGSGServerAdmins,child.domain.me/Sub OU/Common Core/Groups/IGSGCommonCoreServerAdmins,child.domain.me/Sub OU/IS/Groups/IGSGISServerAdmins,child.domain.me/Sub OU/OWI/Groups/IGSGOWIServerAdmins,child.domain.me/DI/EAD/Groups/IGSG DI-RDSFarm Users,child.domain.me/Users/Denied RODC Password Replication Group,child.domain.me/Users/Domain Admins,child.domain.me/Users/Domain Users

If I select the username portion of the UPN or the Samaccountname for the auto-login username, I am able to login without issue:

Using Kerberos authentication
Using principal user-da@CHILD.DOMAIN.ME
Got host ticket host/servername.child.domain.me@CHILD.DOMAIN.ME
login as user-da
Successful Kerberos connection
Created home directory
[user-da@servername ~]$

By chance has anyone else run into this?  I'm only experiencing this on REHL and not on any other distros of Linux....I'm stumpped.

Thanks!