the constrained delegation will not ask for the TGT of the user to behalf like the user in the network but instead there were two kerberos extension was introduced

1. kerberos protocol transition S4USelf

2. kerberos constrained delegation S4UProxy

why those are important because it will help the service to behalf like a client

as we see in the previous photo

S4USelf

in this case the web service will obtain a service ticket pointing to itself in the name of the client 

S4UProxy

allow to ask for a service ticket of another service when behaving like a client 

now look at this

the client will try to access the service

1. the client will send a TGT request to the kdc

2. the kdc will respond with the TGT Response

3. the client will send TGS request to the kdc

4. the kdc will response with TGS response