File this one under hard lessons learned.
If you want to use WS-Security Kerberos Token Profile with a Java based client that is using Java GSS-API, then you have to use the HMAC-RC4 encryption type.
This means you'll need JDK 1.6
If you're setting this up the way that you've grown accustomed (setting the "Use DES Encyrption" flag in the user's Active Directory record), then you'll struggle - like I did.
Odd behvaior, like when you try requireDerivedKeys=false, you'll get errors like
Cannot create the 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc
In fact, if the SPN is mapped to an account with DES Encryption, you'll only be able to get this to work with requireDerivedKeys=true. The algorithm in the binding doesn't matter.
Another error that you'll encounter is:
The key size requirements for the 'Basic128' algorithm suite are not met by the 'System.IdentityModel.Tokens.KerberosReceiverSecurityToken' token which has key size of '64'
I think what they're trying to say is that the DES key 64 bits is not sufficient to work with Basic128.
In my experience, simply changing the user account mapped to the SPN to Not use DES Encryption made all of these problems go away, and interoperability work like a charm.