Hello Valerie,
thanks for your reply. Unfortunately this doesn't helps us out 
1. Customer is using Logon Groups and the SAP GUI Frontend is using the snc/identity/as from Message Server. If this does not contain p:CN=SAP/.... our assumption was that the SNC Client Encryption Client is not able to request service ticket because of missing SPN Syntax
2. Until today my assumption was, the SAP/ append feature is a feature of the Secure Login Client SP2 Patch 3 and not of the SAP GUI or SNC Client Encryption Installation (based on SSO 1.0) at least I found this information first in SAP Note 169605 - SNC name configuration to Kerberos and Certificates. So lets assume the Server Identity contains the p:CN=SAP/... shouldn't be the issue, the Domain append is working well, we know.
3. I don´t like this information "..the CommonCryptoLib does not support SNC Client Encryption". I can tell you why
there is the possiblity to configure X.509 and Kerberos authentication in parallel on the server side.
It would be ok that one client will be the SNC client Encryption SAP GUI instead of a full SSO Secure Login Client. It makes no difference for SNC on server side.
This scenario will work.
please see this post - Please let me know what is correct now? Is this also not supported using the Secure Login Library 2.0?
Will recommend the customer to create OSS Message.
Best regards,
Carsten