Microsoft BI with Constrained Kerberos Delegation
In a Microsoft BI environment, we very often want to grant data visibility permissions at the datebase level. The most common way to accomplish this is to use Kerberos delegation.
In Active Directory, delegation comes in two flavors: Constrained and Unconstrained. Constrained delegation provides an enhanced level of security for deployments where Kerberos delegation is used to pass end-user credentials to back-end services.
In an unconstrained delegation configuration, servers and service accounts are trusted to send Kerberos tickets to any service on any destination computer. This typically isn’t a problem, since administrators know what their service accounts are used for, and what software is installed on their servers.Read more...