Prerequisite: None
When used for simple authentication, then Active Directory's authenticator-of-choice Kerberos is trouble-free: set up an AD, Kerberos just works and that's it. But start to add AD-aware servers and services, or try to understand how a read-only domain controller differs from a full DC, and all of sudden there's a LOT to know -- and ticket granting tickets, pre-authenticators, and session keys are just the start, as anyone knows. But what's this about "delegation," or, in Server 2008, "CONSTRAINED delegation" -- is it only permissible between consenting adults? And what's an "SPN," the thing that the invaluable "setspn" utility assists with? Once past that, you may find that some of your users seem to be logged onto AD but aren't really, due to the frightening-sounding "token bloat." What's all of this (it's good news, really), and what can it do for (or to) you? Find out when Mark resumes the mantle of Revealer of Windows Logons, explaining all this -- and more -- while keeping that trademark Minasi energy and humor.