> If I'm right, why would I want to expire the whole principal!? If you know that at a certain time, the individual with that principal is going to be leaving your company/school/whatever, this is a good way to ensure that they can no longer authenticate to your KDC after that time. Jen