Enabled by the constrained delegation extension of Kerberos v5,
KCD allows a service to obtain
service tickets on behalf of clients once it has been presented with the appropriate service ticket obtained via protocol transition. It encompasses the act of a principal (LoadMaster’s AD account) impersonating another principal (John Smith) to gain access to a 3rd principal (application service).