Well, I wouldn't object to a phased approach. If you want to start with a global lock and work towards higher granularity, I'm happy with that. I would object to any design that assumes the KDC must serialize KDB access. The goal should be for the KDC to be able to process multiple requests concurrently. Nico --