Kerberos constrained delegation to domain controllers

view full story

http://serverfault.com – Setup: Forest Functional Level: Windows 2003 All DCs - Windows 2003 64 bit SP2 Requirements: Citrix server wants to use Kerberos delegation for SSO purpose. They want to create Kerberos constrained delegation from Citrix presentation server to local DCs for CIFS and LDAP services. I fear that it would allow administrators on the presentation server to impersonate domain admins against LDAP service on the DCs and make unauthorized changes in AD. Questions: Is my assumption correct? If yes, how easy it would be to do that? What are the operational repercussion of allowing such delegation (HowTos)