Thanks, Lutz. Yes, you summarized my question perfectly: in effect, how can I tell whether I'm getting my desired result (AES256)? The trace is indeed ambiguous and hints at both RC4 and AES256.
Filipe, yes, I followed Nick Wells' thread backwards and forwards for days looking for clues. I don't have any problems with service user passwords or capitalization -- if I did, SNC wouldn't work at all. I did struggle mightily with my AD team to get a service user correctly created -- it seemed impossible to get them to use consistent casing in SPN, UPN, and SamAccountName, etc, and they would report to me that they had "fixed" the case when I could clearly see in ADSI Edit and AD Computers & Users that this wasn't the case (heh, see what I did there?). In the end I gave up and had them use my existing service user that runs the ECC application (SAPService<SID>). I'm aware that this isn't considered best practice, but that user was correctly configured for case (mixed, of course), and only needed the SPN to be added.
So, bottom line, I'm past the point that Nick was struggling with (I did struggle with it earlier, but that's resolved now), and now I'm just trying to learn whether my task is complete. 
Also, tcode SPNEGO doesn't work for me, as we aren't using SPNEGO, only SNC. We also are not using SLL (Secure Login Client), as we are not licensed for NWSSO (I think it's absolutely silly of SAP to charge for this capability, and I think eventually it will go the way of Fiori and become "included" with the core product). So, all I'm going for now is SCE, or SNC Client Encryption.
I appreciate the quick responses!
Cheers,
Matt