And the really cool thing is that the application developer does not have to use any new APIs to use constrained delegation (and only one to use protocol transition). The API is exactly the same as it is for "unconstrained" delegation. (Of course, whether constrained delegation will be successful is subject to the policy of the KDC.) -- Luke