O'Reilly's Windows DevCenter has an excerpt from their Security Warrior book, giving an overview of how Kerberos works in Win2k and Windows Server 2003.  They also show that Kerberos by itself does not prevent offline dictionary attacks against weak passwords, which is a common misconception.  It's a brief piece, but provides a decent explanation of Kerberos, which is often one of the parts of the Windows security story that a lot of people don't fully understand.