You could be in a situation where you are setting upKerberos constrained delegation in multiple domains in a single forestenvironment, but it seems did not work well, the client credential could not bedelegated to back-end data source from which you would like to pull the datafrom for your business intelligence application such as excel services, visiographic services, PerformancePoint services or InfoPath services.
We can delegate user’s credential whose account reside inuser domain to sharepoint application and back-end data source which reside inthe other domain within a single forest. The important fact on this is the
For step-by-step instructions on how to do this, there is aMicrosoft technet documentation which explains this in a very detail instructions,you can find the document in the following link
I’ve got user in nortwind domain who accessed the sharepointand external data in contoso domain using excel service application.
Here’s basically the excel service application which openedand rendered data successfully. You have to dodata refresh to prove that kerberos delegation is working for you
I could see the user’s credential being delegated toback-end data source.
The following screen is the error that you might get when youtry to do data refresh and Kerberos constrained delegation has not been setupproperly.
Windows Server 2012 Domain Controllers overcomes this issue. Excerpt from this Technet article for anyone interested.
"In Windows Server 2012, the new resource-based Kerberos constrained delegation can be used to provide constrained delegation when the front-end services and the resource services are not in the same domain."