Can I check a few things that I understand are correct.

1) Using the  User Federation SPI I import the following from ActiveDirectory into the KeyCloak database : first name, surname, email, username and password.

2) Password checks are made against the Keycloak database and not the ActiveDirectory system

3) Enabling kerberos authentication will allow me to do paswordless login using my web browser from my windows box

Hope I am not to far from the mark

Chris