Kerberos delegation is needed to allow frontend services to pretend to be users to a backend service.

There are 3 types of delegation:

• Unconstrained - A user requests a forwarded TGT and sends it to the remote service with the service ticket, then the remote service extracts the TGT from the service ticket and uses it to impersonate the user.
• Traditional Constrained - The service requests a ticket to itself as another user, then the service uses this ticket to pretend to be said user when authenticating to another target SPN (S4U2proxy)
• Resource-based Constrained (RBCD) - An ACL in a field (msDS-AllowedToActOnBehalfOfOtherIdentity) on the target computer resource dictates who can perform S4U2proxy to that computer

Unconstrained Delegation

Constrained Delegation

Resource-based Constrained Delegation (RBCD)