Kerberos Constrained Delegation is an extension to Microsoft Windows Server Kerberos authentication.
It provides a mechanism to restrict the additional services that a Kerberos authenticated user or service can request access to. In an unconstrained Windows Server Kerberos environment a duly authenticated service could delegate access to any other service within the same Domain. When constrained delegation is in use then administrators can restrict accounts so that they only delegate to allowed services. As a result trust boundaries can be configured to restrict propagating Kerberos authenticated accounts without having to forgo the advantages of Kerberos authentication. KEMP LoadMaster supports KCD via the Edge Security Pack (ESP).