It seems to me like what you are attempting to do is somewhat against the proper usage of kerberos authentication. Let MC be the machine from which you are trying to make the connection and AMT the machine you are trying to connect to. Is it the case that MC and AMT are in different domains that are related in the domain hierarchy or do they belong to completely disjoint domains?
In the case of having the domains belong to the same hierarchy ( meaning they are sibling domans or parent/childs of eachother) you can probably use the C# ActiveDirectory modules to resolve the SID.
To answer your question about querying AMT for the user, this will only be possible if you have an other means of authenticating with AMT, for example Digest credentials or a different kerberos user that does belong to the domain (and have access to the Security Administration , General Info Realms) , in which scenario you can Invoke AMT_AuthorizationService.EnumerateUserAclEntries in order to get the ACL entries in AMT.
Hope this answers your question
Thanks for the reply!
The machine I am connecting from may just as well be in a workgroup, so not at all connected with the domain.The login with Kerberos works, apparently it's the AMT target machine that verifies the provided Kerberos user, so I don't need to find an alternative method for logging in.. I am just not sure how I would invoke AMT_AuthorizationService.EnumerateUserAclEntries. I assume this is part of the low lever API, it's not accessible in the HLAPI, is that correct? If yes, how would I, from my IAMTInstance object, use the AMT_AuthorizationService?