Steps

Per Microsoft and other sources: Constrained delegation (KCD) or Resource-Based Constrained Delegation (RBCD) are strongly recommended as more secure, restricted alternatives that align with the principle of least privilege

Ref: 

• Security considerations for Dynamics 365 Customer Engagement (on-premises)

• How to Find and Disable Unconstrained Delegation in Active Directory

Constrained delegation is recommended because:

• Unconstrained delegation is considered insecure and exposes TGTs if the service is compromised.
• Modern security is best practice to avoid unconstrained delegation entirely.

Ref:

• Kerberos Constrained Delegation Overview

• Windows authentication - Kerberos constrained delegation with Microsoft Entra ID

Key Considerations for Dynamics 365 On-Premise Delegation:

• Initial Setup/Troubleshooting: Setting up unconstrained delegation (via Active Directory Users and Computers) on the CRMWeb account allows the application pool to pass user credentials to backend services, ensuring functionality.
• Security Risk: Unconstrained delegation poses a security risk, as a compromised server can impersonate users across the entire domain.
• Alternative (Best Practice): Use Kerberos Constrained Delegation (KCD) to restrict the web server to delegating credentials only to specific services, such as the CRM database and report servers.
• Service Principal Names (SPNs): For delegation to work, appropriate SPNs must be registered for the service accounts running the IIS application pool and SQL Server services.
• Configuration: The delegation setting is configured in Active Directory under the Delegation tab for the service account, which becomes available once SPNs are registered. 

Ref: 

Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

Ref:

How to set up dynamics crm onpremise kerberos server 

Best practice recommendation

For Dynamics 365 (on-premises):

• Use Constrained Delegation (KCD)
• Resource-Based Constrained Delegation (RBCD) on newer AD environments

or

NOTE: Unless there is an exceptional, legacy limitation requiring unconstrained delegation

What is required?

Dynamics 365 on‑premises requires Kerberos authentication when credentials must be delegated across more than one hop (the classic double‑hop scenario). 

Such as:

• Dynamics 365 web server → backend SQL server
• Dynamics 365 web server → SSRS server
• Users accessing CRM through a load balancer

This is confirmed in Microsoft community guidance:

NOTE FOR CLARIFICATION: Kerberos is required in multi-hop scenarios, but unconstrained delegation is only used in Microsoft’s example for illustration and is not listed as a requirement. 

When Kerberos Delegation Comes Into Play

Kerberos delegation (the ability for a service to impersonate a user and access other resources on their behalf, solving the "double-hop" issue) is only relevant in specific scenarios:

• Load-balanced or multi-server setups (e.g., front-end CRM web servers behind a load balancer, or separate SQL/SSRS servers).
• Multi-hop authentication flows, such as the CRM application pool needing to delegate user credentials to backend services (SQL Server, SSRS for reports, etc.).
• When using Windows Authentication with Negotiate (Kerberos preferred over NTLM) and the application pool runs under a domain account (or the computer account in some cases).

In a simple single-server deployment with no separate backend services requiring impersonation, or if you're using NTLM fallback, delegation is typically not needed at all. SPN registration and proper IIS authentication provider settings (Negotiate at the top) are usually sufficient for basic Kerberos.

Unconstrained vs. Constrained Delegation

• Unconstrained delegation ("Trust this user/computer for delegation to any service (Kerberos only)") is the older, less secure model. It allows the account to impersonate users to any service in the domain.
• Constrained delegation ("Trust this user/computer for delegation to specified services only" + "Use Kerberos only") is the modern, recommended approach. You explicitly list the target SPNs (e.g., HTTP/ for CRM, MSSQLSvc/ for SQL, etc.).

Microsoft and security best practices strongly recommend constrained delegation (or resource-based constrained delegation where applicable) wherever delegation is needed. 

Unconstrained delegation is a known security risk (e.g., easier credential theft/lateral movement) and should be avoided or used only temporarily for testing.

Community guidance for Dynamics CRM/Dynamics 365 on-premises (including load-balanced environments) often demonstrates unconstrained first for simplicity, then switches to constrained after verification — but constrained works fully and is preferred.

Official Microsoft Guidance Summary

• Dynamics 365 on-premises security and deployment docs focus on SPN registration, service account permissions, and IIS/Kerberos configuration — they do not mandate unconstrained delegation.
• For related Microsoft products (e.g., Business Central on-premises, Analysis Services, Power BI gateway), Microsoft explicitly calls out constrained delegation as the way to go.
• No current Microsoft documentation for Dynamics 365 Customer Engagement on-premises lists unconstrained delegation as a prerequisite.

Recommendation

If your environment requires delegation:

1. Register the necessary SPNs (HTTP/ for the CRM URL, etc.) on the application pool account or computer account.
2. Configure constrained delegation on the relevant account(s) in Active Directory (Delegation tab).
3. Set IIS application pool to use the domain account (or configure kernel-mode auth properly with useAppPoolCredentials).
4. Test with tools like klist or Fiddler to confirm Kerberos tickets are being delegated correctly.

If you're not seeing double-hop issues (e.g., 401 errors when accessing reports or backend resources), you likely don't need any delegation setting.

Per Microsoft, Unconstrained delegation is a legacy option you can avoid entirely for a more secure Dynamics 365 on-premises deployment. 

Security Best Practice: Microsoft recommends transitioning away from unconstrained delegation to KCD, particularly for multi-hop ("double-hop") scenarios like web applications accessing databases.

Ref:

• Kerberos unconstrained double-hop authentication with Microsoft Edge (Chromium)

• Post-installation and configuration guidelines for Microsoft Dynamics 365

• You can't use Kerberos unconstrained delegation in certain versions of Windows