By default, the Microsoft® Windows® 2000 operating system uses the Kerberos protocol for authentication. This How To describes how to configure Kerberos delegation, a powerful feature that allows a server, while impersonating a client, to access remote resources on behalf of the client. 

        <p>
        Delegation is a very powerful feature and is unconstrained on Windows 2000. It
        should be used with caution. Computers that are configured to support delegation should be
        under controlled access to prevent misuse of this feature.
        Windows .NET Server will support a constrained delegation feature.
        </p>

        <p>
        When a server impersonates a client, Kerberos authentication generates a delegatelevel
        token (capable of being used to respond to network authentication challenges
        from remote computers) if the following conditions are met:
        <ol>
        <li>
        The client account that is being impersonated is not marked as sensitive and
        cannot be delegated in Microsoft Active Directory® directory service.
        <ol>
        <li>
        Log onto the domain controller using an administrator account.
        </li>
        <li>
        On the taskbar, click the Start button, point to Programs, point to Administrative
        Tools, and then click Active Directory Users and Computers.
        </li>
        <li>
        Under your domain, click the Users folder.
        </li>
        <li>
        Right-click the user account that is to be delegated, and then click Properties.
        </li>
        <li>
        Click the Account tab.
        </li>
        <li>
        Within the Account options list, make sure Account is sensitive and cannot be
        delegated is not selected.
        </li>
        <li>
        Click OK to close the Properties dialog box.
        </li>
        </ol>

        </li><li>
        The server process account (the user account under which the server process is
        running, or the computer account if the process is running under the local
        SYSTEM account) is marked as trusted for delegation in Active Directory.
        <br />
        This procedure ensures that the account used to run the server process (the process
        that performs impersonation) is allowed to delegate client accounts. You must
        configure the user account under which the server process runs, or if the process
        runs under the local SYSTEM account, you must configure the computer account.
        Perform the appropriate procedure that follows, depending on if your server
        process runs under a Windows account or a local SYSTEM account.

        <ol>
        <li>
        To confirm that the server process account is trusted for delegation if the server process runs under a Windows user account
        <ol>
        <li>
        Within the Users folder of Active Directory Users and Computers, right-click
        the user account that is used to run the server process that will impersonate the
        client, and then click Properties.
        </li>
        <li>
        Click the Account tab.
        </li>
        <li>
        Within the Account options list, click Account is trusted for delegation.
        </li>
        </ol>
        </li>

        <li>
        To onfirm that the server process account is trusted for delegation if the server process
        runs under the local SYSTEM account
        <ol>
        <li>
        Right-click the Computers folder within Active Directory Users and Computers,
        and then click Properties.
        </li>
        <li>
        Right-click the server computer (where the process that impersonates the client
        will be running), and then click Properties.
        </li>
        <li>
        On the General page, click Trust computer for delegation.
        </li>
        </ol>
        </li>
        </ol>

        </li></ol>
        </p>