Given my lack of progress on adding Kerberos support to NSS (and hence to Mozilla's TLS implementation), I've started looking at other solutions to the problem of using Kerberos credentials to authenticate web sessions.
The kx509 code from the University of Michigan is looking very promising. It allows users to gain short lived X509 certificates using their Kerberos credentials. These certficates are then transparently used by the browser (via a custom PKCS#11) module to authenticate to the server.
So far, I've hacked all of the umich specific stuff out of the code, and rejigged the build system so its better at dealing with different environments. Its looking very promising though - next step is to try to get some web applications to operate with client certificates.