When used for simple authentication, then Active Directory's authenticator-of-choice Kerberos is trouble-free: Set up an AD, Kerberos just works, and that's it. But start to add AD-aware servers and services, or try to understand how a read-only domain controller differs from a full DC, and all of sudden there's a lot to know. Ticket granting tickets, pre-authenticators, and session keys are just the start. What's this about "delegation", or Server 2008's "CONSTRAINED delegation"? And what's an "SPN", the thing that the invaluable "setspn" utility assists with? You may also find that some of your users seem to be logged onto AD but aren't really, due to the frightening-sounding "token bloat." Find out the answers when Mark resumes the mantle of Revealer of Windows Logons, explaining all this -- and more -- while keeping that trademark Minasi energy and humor.