[project2501a]

kerberos solves the problem that you can have short one time tokens using your password.

Add public key infrastructure support, make ldap the default store and you got AD. Even better, you can throw all the OAuth crap down the drain.

now, starting services with a password becomes an issue of booting the machine.

[lokar]

No one would build KRB4/5 today, it makes no sense. It's only advantage over an X.509 cert based system is speed on really really slow CPUs.

[jcgl]

That doesn't seem right to me, assuming you still want the paradigm of one-time principal-to-domain authentication with just-in-time principal-to-resource authentication. While I think you could probably use x509 certs to streamline and modernize the ticket-granting-and-session-key dance, you'd still be doing a lot of the same high-level things.

Depending on the use-case, Kerberos (/this imagined x509 Kerberos) or Oauth2 still seems suitable for single-authenticator/multiple-services paradigm.