Hi Brian, Great Article. I just spent the last week setting Kerberos up so this is really synchronicity that this topic is showing up today. You explain it more clearly than any article I have seen out there.
I know that you did not intend to cover delegation as a topic for this article, but for the folks who are working on this now, you can configure delegation by going to AD, finding the computer record for the server that will be doing the delegation and check the box for allowing delegation.
Also, if you are setting up a web server, the web.config file needs to be set to use windows authentication and allow impersonation. The impersonation will allow the server to pass your credentials to the next server.
It most situations where you are just dealing with serving reports, a generic id to connect to the server will work fine, but when you are refining your security model on SQL server to use windows authentication this is critical. Also, if you are having users insert and update records through your web ap, it is critical to have their correct credentials for auditing.
Thanks again for explaining this concept so well, its making a lot more sense to me. I got into a discussion with another developer over using Kerberos or LDAP and I think this artical hits upon some key concerns.