Kerberos doesn't concern itself with authorization, just authentication. It's up to the app to accept or reject a ticket, and that process is completely opaque to kerberos. It _could_ be extended since Kerberos allows pretty much any damn thing you want to happen with vendor extensions, but I'm not sure that's a situation you want AD to be handling given its track record in the rest of the security space.