If you have to flow the original caller, use constrained delegation
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Use delegation for flowing, the impersonated original user's security context (windows identity) to the remote back-end service. On the remote back-end service the original user’s windows identity can be used to authenticate or impersonate the original
caller, to restrict or authorize original caller’s access to local resources.
When using delegation, on Windows Server 2003 or later, use constrained delegation. This allows administrators to specify exactly which services on a downstream server or a domain account can be accessed when using an impersonated user's security context.