By definition KerberosString's are supposed to be in the range 0x20-0x7F. MSFT's kerberos implementation breaks this rule and allows Kerberos strings to contain UTF-8 characters for I18n.
Java's Kerberos implementation has MSFT compatibility mode which is enabled by setting the system property "sun.security.krb5.msinterop.kstring" to "true". This allows KerberosString's to contain UTF-8.
The attached patch is a proposed change to add the same support to the kerberos-code jar to allow the change password protocol to work for users with UTF-8 chars in their principal name.