>But in this case, what dose Kerberos give over just using a password >based solution? It adds complexity, but what's teh actual gain?
That's due to policy of some customers. They require all login to be kerberos based and password-less. I suppose this way they don't need to maintain passwords in each database and the same keytab file may be used in connections to multiple databases. If we can do the delegation approach right, it's clearly a superior solution since keytab file management is also quite heavy burden.
