Kerberos-constrained delegation

Kerberos is a network authentication protocol, designed to use secret key cryptography for strong authentication in client-server applications. Pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password) are stored in the keytab file. The keytab file allows you to authenticate to various remote systems using Kerberos without entering a password. When you change your Kerberos password, you must recreate all of your keytabs. You can create keytab files on any computer that has a Kerberos client installed and copy for use on other computers. If you are using a Security Assertion Markup Language (SAML) identity provider (IdP) and want EAA to carry out Kerberos-constrained delegation for single sign-on (SSO) into a back end application, you need to Add a keytab for Kerberos-constrained delegation then create a keytab object for each in-use service domain in your environment.

To learn more see Forward Kerberos ticket-granting ticket to application.