Is there a way to get Kerberos credentials to delegate twice? Why not?
Absolutely - this is Kerberos delegation, and it's extremely powerful.
You need to read a couple of TechNet articles first:
- Kerberos Authentication in Windows Server 2003
- Kerberos Protocol Transition and Constrained Delegation
And then read Ken Schaefer's fanstastic blog posts on Kerberos:
- IIS (Internet Information Services) and Kerberos FAQ
But basically, once your SPN's are setup and you know Kerberos is working, you go to the Computer Object in the Active Directory and select the "Trust this computer for delegation" radio button on the Delegation tab.
(source: s-msft.com)
Ken's article on simple delegation should cover everything you need.
BTW: You were so close to the right search: "Double Hop Authentication" would lead you right to this article from the Ask the Directory Services Team blog: Understanding Kerberos Double Hop
While I don't know the answer for Windows (being a Linux/UNIX person), what you need to ensure under the hood is that you request a forwardable ticket.