I created a fresh WS 2008 R2 SP1 system from DVD, joined the domain, applied group policy, restarted and installed NPS and RRAS. A test from a remote host proves NPS and Kerberos.dll were working correctly at this point.
I then installed KB2871997 on its own and the lsass crashed upon VPN connection, so it's pretty clear this is a bug in KB2871997.
According to its accompanied security advisory, this update seems to be a security enhancement not a bug fix, so I think it can be removed if it breaks things. I have removed it from my WS2008 R2 server and it is now working again.
(I would not exclude it from auto update list though, in case M$ publishes a new version. The current version is already v2......)
However, this update is not released separately for WS2012 R2 but as part of a security roll up. I am still trying to figure out how to uninstall it for that OS.