[keycloak-user] Active Directory

I am looking to use KeyCloak backed by an AD server. Can I check a few things that I understand are correct. 1) Using the User Federation SPI I import the following from ActiveDirectory into the KeyCloak database : first name, surname, email, username and password. 2) Password checks are made against the Keycloak database and not the ActiveDirectory system 3) Enabling kerberos authentication will allow me to do paswordless login using my web browser from my windows box Hope I am not to far from the mark Chris