Constrained Delegation

Windows supports two types of constrained delegation:

Kerberos Constrained Delegation (KCD) that was introduced in Windows Server 2003. For information see, https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff650469(v=pandp.10)
Resource Based Constrained Delegation (RBCD) that was introduced in Windows Server 2012. For information see, https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview.

Example configurations for Constrained Delegation

Note: The information given below are examples and not recommended configurations. More complicated configurations with increased security granularity are possible. You must configure Constrained Delegation in a way that complies with your organization operational and security requirements.

Example: Kerberos Constrained Delegation (KCD)

Connect:Direct is on the system CDSystem running under the Local System account and needs to access files on a shared network drive hosted by the system FileSystem. KCD is configured to trust CDSystem to delegate to the cifs Service on FileSystem.

Known consideration for KCD

All services on CDSystem running under the Local System account can delegate to the cifs Service on FileSystem.

Example: Resource Based Constrained Delegation (RBCD)

Connect:Direct is on the system CDSystem running under the local system account and needs to access files on a shared network drive hosted by the system FileSystem. The cifs Service on FileSystem runs under the Local System account.

RBCD is configured to trust CDSystem to delegate to FileSystem.

Known consideration for RBCD

All services on CDSystem running under the Local System account can delegate to all services on FileSystem running under the local system account.
RBCD can provide greater security granularity if Connect:Direct and cifs run under dedicated Service accounts.
When configuring delegation, select Use any authentication protocol because of operating system restrictions.