If a service account is trusted for delegation, it can request
service tickets on behalf of an authenticated user to any other
Constrained delegation is a way to restrict the service accounts
for which service tickets can be obtained. This seems a useful
feature to introduce.
See also: Comments section.