If you want to get the "single sign-on" functionality similar to an Active Directory domain with Windows XP clients of a standards-based Kerberos KDC you're going to have to do some hacking.
The Active Directory to Windows XP client "workstation trust" and logon process is more than just standards-based Kerberos. Windows XP can authenticate to a Kerberos realm, but the Kerberos credentials must be "mapped" to a local user account. This isn't the same functionality as a Windows XP machine joined to a domain, insofar as there are no local user accounts necessary when joined to a domain. You would need to create local user accounts that correspond to each set of Kerberos credentials if you intend to get domain-like functionality.
There are replacements to the Windows default "Graphical Identification aNd Authentication" (GINA) module that can fake the domain-like behaviour. The "right way" to perform this function would be to write an LSA security support provider (SSP) for standards-based Kerberos (which I don't believe anyone outside of Microsoft has done).
There was the pGina project, but this is starting to suffer from code rot. While it is stable, I would only use it as a last resort. In addition to providing Kerberos support, it also has a modular framework that will allow interfacing with just about anything you can think of - there are examples for databases, RADIUS, etc. Think of it as an open-source equivalent of the "pam" stack for Windows.
The source code is still available, and at the very least, the core code is well past the 1.0 mark and is production-worthy. The real issue is the quality of code surrounding some of the modules, some are stable but some are barely better than proof-of-concept.
If you want to get the "single sign-on" functionality similar to an Active Directory domain with Windows XP clients of a standards-based Kerberos KDC you're going to have to do some hacking.
Here's the Windows 2000-era guide for configuring authentication against a Kerberos Realm: http://technet.microsoft.com/en-us/library/bb742433.aspx
The Active Directory to Windows XP client "workstation trust" and logon process is more than just standards-based Kerberos. Windows XP can authenticate to a Kerberos realm, but the Kerberos credentials must be "mapped" to a local user account. This isn't the same functionality as a Windows XP machine joined to a domain, insofar as there are no local user accounts necessary when joined to a domain. You would need to create local user accounts that correspond to each set of Kerberos credentials if you intend to get domain-like functionality.
There are replacements to the Windows default "Graphical Identification aNd Authentication" (GINA) module that can fake the domain-like behaviour. The "right way" to perform this function would be to write an LSA security support provider (SSP) for standards-based Kerberos (which I don't believe anyone outside of Microsoft has done).
REGINA - A project at Reed College to do a single-sign-on Kerberos-based GINA. - http://people.reed.edu/~nobles/reed/regina.html
CMU "Kerberized" NT Login - http://asg.andrew.cmu.edu/andrew2/dist/gina.html (Looks like the source isn't available anymore!)
There was the pGina project, but this is starting to suffer from code rot. While it is stable, I would only use it as a last resort. In addition to providing Kerberos support, it also has a modular framework that will allow interfacing with just about anything you can think of - there are examples for databases, RADIUS, etc. Think of it as an open-source equivalent of the "pam" stack for Windows.
The source code is still available, and at the very least, the core code is well past the 1.0 mark and is production-worthy. The real issue is the quality of code surrounding some of the modules, some are stable but some are barely better than proof-of-concept.