Hi,
To perform constrained delegation from Service A to Service B, forwardable
flag must be set in the S4U2Self service ticket returned by KDC to Service
A.
I did some testing with Windows KDC and it will set forwardable flag in
S4U2Self service ticket in either of the following cases:
1) Trust
Did some more digging and found out following:
Service ticket used in S4U2Proxy need not be forwardable if resource based
constrained delegation is used i.e. principalsAllowedToDelegateTo option is
configured on Service B.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/dd1b47f
