Are you using Certificate enrollment? It looks like it is trying to pass a certificate, and not recognizing the format. Most customers don't enroll using certificates.
If you are not actively using certificate enrollment, you should set the enrollment process to Deny Certificate Enrollment, which will force it to enroll using the username and password from AD. It looks like the impersonation of the user is working, so my best guess based on the log outputs together would be that it is passing a certificate (error 10970 is an invalid certificate), the desktop client tries building out the folder structures needed for the program (this happens normally even on a failed enrollment), and the server sees the certificate as 'corrupt', because it is not the format it expected.
Go to Consumers>Directory Synchronization, then click Settings... in the bottom left. The box to enroll using directory authentication should be checked. Change 'Allow' or 'Force' to 'Deny' for certificate enrollment.
Let me know how that works for you.