From: John Beckett 

Ellen K.  wrote in message
news::
> Is this different from Delegation?  If so, how?

This is a really heavy topic. The brief answer is no.

If a domain user at a workstation accesses a share on a server, the
workstation sends the user's credentials to the server. In principle, the
server asks a domain controller to authenticate the user (in practice,
using Kerberos, the client sends the server all it needs). This is a
transitive network logon.

Probably in the context that you are wondering about, a domain user at a
workstation runs a client app that sends a request to server1. To fulfill
the request, server1 asks server2 to do something (e.g. a database
transaction). Server1 uses the user's credentials when sending the request
to server2, so the transaction is executed with the privilege of the user,
not the privilege of server1 or server2. That process is known as
delegation of authentication. The client authorises server1 to represent
the client. A domain admin has to specify that server1 is trusted to
perform delegation (i.e. the software running on server1 is known to be
good, and won't misuse its ability to authenticate as users).

John

--- BBBS/NT v4.01 Flag-5