Just for the record...even under Simple LDAP I used userPrincipalName rather than sAMAccountName. Use userPrincipalName with Simple LDAP and imported users are displayed with just the shortname. With Kerberos the name includes the realm. Tomorrow when I try the revised test below I'll paste in the screenshot for Simple LDAP with UPN as the user name.
However, certainly the user I was testing with does own objects in vCD. In the morning I will try creating a brand new user under Simple LDAP for admin login. Then I will switch to Kerberos, delete that new user and add back in. If I can login successfully I'll mark the answer as correct.