Language:
The Kerberos protocol, which is central to Active Directory security, permits select servers to reuse user credentials. If an attacker compromises one of these servers, they could steal these credentials and use them to authenticate on other resources.
The only accounts using unconstrained delegation should be the domain controller accounts. Administrators should also be protected against any dangerous delegation type.
Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
Get rid of accounts that use Kerberos Unconstrained Delegation
Abusing Resource-Based Constrained Delegation to Attack Active Directory