If you have compromised a user account or a computer (machine account) that has kerberos constrained delegation enabled, it's possible to impersonate any domain user (including administrator) and authenticate to a service that the user account is trusted to delegate to.
While in unconstrained delegation a server can extract the TGT from the TGS to that server, and request a new TGS with the specific TGT to a different service, which is quite dangerous, Microsoft released the dangerous of having this and introduced 'S4U2Self' and 'S4U2Proxy' in Windows Server 2003 (S4U = Service-For-User).
The process goes as follow:
Constrained delegation settings are located in the ‘delegation’ tab of an object within Active Directory Users and Computers, we can checked across the domain by looking for the msDS-AllowedToDelegateTo property in accounts/machines via the PowerView.
The sname (first part of the SPN) field in a service ticket is not encrypted/protected, this allows an attacker to change that to be any service they want.
If you compromise a computer or user account with SPNs set in 'msds-allowedtodelegateto', you can pretend to be any domain user to any service on the target hosts described in those SPNs
If there is an SPN set in the msDS-AllowedToDelegateTo property for an account and the userAccountControl property contains the value for ‘TRUSTED_TO_AUTH_FOR_DELEGATION”, that account can impersonate any user to any service in that SPN
if the TRUSTED_TO_AUTH_FOR_DELEGATION bit is set then the ticket is “forwardable”.