When you use delegated authentication, you can choose one of the following types of delegation:
Full delegation
Full delegation is the initial implementation of Kerberos delegation. In this delegation method, a client forwards its Ticket Granting Ticket (TGT) to a service after Kerberos authentication. The service uses the TGT to get service tickets to access any other service in the network. This type of delegation is not considered secure because an administrator cannot control the services that the server can access using the client identity. Full delegation is also known as unconstrained delegation.
Resource-based constrained delegation
With resource-based constrained delegation, administrators can restrict the usage of the client identity by the services. In this delegation method, the client does not forward TGT to the server. In this method, the services specify who they trust and who can delegate authentication to them.
Constrained delegation uses Kerberos protocol extensions called Service for User (S4U) that allow a service to obtain a Kerberos service ticket on behalf of a user.
You cannot use both constrained delegation and full delegation in a single domain. You can configure the domain to use either full delegation or constrained delegation.