Single-sign-on means that end user only need to log in once to access all network resources that supports kerberos. Once the user has authenticated to kerberos at the start of their login session, their credentials are transparently passed to every other resources they access during the time.
Trusted third party refers to the fact that kerberos works through a centralized authentication server that all systems in the network inherently trust. All the authentications requests are routed via centralized kerberos server.
Mutual authentication ensures that not only is the person behind the keyboard who they claims to be but also proves that the server they are communicating with is who it claims to be. Mutual authentication protects the secrets of sensitive information by ensuring that the service the user is communicating is genuine.