K. Brian Kelley (12/17/2013)
Please use constrained delegation (selecting the 3rd option) if configuring Kerberos delegation. It's considered a significant security risk to use unconstrained delegation (where any server can be delegated).
Thank you for the feedback! Would you mind posting a link that describes some of the security risks when leaving delegation for the service account open to "trust for delegation to any service". I agree that we should limit it to only the use case you are solving for, but I wasn't able to get down to the real risks by leaving that option open.
In short, constrained delegation basically ensures that SQL Server can only connect to SQL Server, if that's what you set up. If you don't, it means SQL Server can connect to any resource as that user. That's the inherent problem. A bit more, but from the IIS perspective:
Therefore, if you're following the Principle of Least Privilege, an important security rule, then you use constrained delegation unless you have to cross forests. In that case, you can't do any better than unconstrained, but this type of setup is much rarer than the cases where you're trying to grant access to intra-forest resources via delegation.
K. Brian Kelley