David Bargna
So I would not recommend that you switch the Kerberos Authentication template from build from Active Directory to Supply in the Request on the subject Tab. This template has a special flag on it that causes it to talk back to the KDC via the RPC call as discussed in the blog.
I would recommend that you duplicate say Domain Controller Authentication, or Workstation and then use that as the base template. You should be able to do everything you want to accomplish there with that. Then you can use the blog I posted a few backs on First Issuance manual, with automated renewals - Microsoft Community Hub so that you don't have manually issue these Certificates all the time.
I have not seen really seen any computer certificates issued with a SAN value of "Principal Name" as this is tied to an AD objects userPrincipalName value typically. If it is a computer based template it really should be "DNS" as the name / values in the SAN field.
Can you point me to one of our default templates where you are seeing this that are meant for computers to enroll for?