But there's a long way to go

We need to finalize the migration mechanism;

We need to decide on password quality and lifetime policies;

We need to put in place the administrative infrastructure required to support the single sign-on system;

We need to determine which (non web-based) network services might support Kerberos authentication;

We need to look in detail at client support for Kerberos authentication.