What is constrained delegation?
J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Impersonation is a WCF service configuration in which the service will access resources on the same computer using a client’s user identity. Delegation is similar to impersonation except that the WCF service can access resources that are on the same machine or on other machines using the client’s user identity. delegation flows the original caller’s identity to back-end resources on the computers other than the computer running the service.
The Microsoft Windows Server 2003 operating system provides a more secure form of delegation called constrained delegation. With constrained delegation, you can configure the Microsoft Active Directory directory service to restrict the services and servers that your WCF service application can access with the impersonated identity. Constrained delegation in Windows Server 2003 requires Kerberos authentication.