Active Directory is not exactly Rocket Science
No one can make it work. Even people who worked inside Microsoft keep telling me that it does not work there either.
In the explanations for the recent Azure secret key disaster, Microsoft has also (unknowingly?) admitted that they consider their client zone to be less secure than their server zone.