With Kerberos SPAN, wouldn’t we have to have a SPAN session for every authenticating domain controller in the environment?  Since there can only be two ISE-PIC nodes, that seems to eliminate that option (if my assumption’s correct).Also, if we were t...