Is there a way to get Kerberos credentials to delegate twice? Why not?

Absolutely - this is Kerberos delegation, and it's extremely powerful.

You need to read a couple of TechNet articles first:

  • Kerberos Authentication in Windows Server 2003
  • Kerberos Protocol Transition and Constrained Delegation

And then read Ken Schaefer's fanstastic blog posts on Kerberos:

  • IIS (Internet Information Services) and Kerberos FAQ

But basically, once your SPN's are setup and you know Kerberos is working, you go to the Computer Object in the Active Directory and select the "Trust this computer for delegation" radio button on the Delegation tab.

From: Ask the Directory Services Team
(source: s-msft.com)

Ken's article on simple delegation should cover everything you need.

BTW: You were so close to the right search: "Double Hop Authentication" would lead you right to this article from the Ask the Directory Services Team blog: Understanding Kerberos Double Hop


While I don't know the answer for Windows (being a Linux/UNIX person), what you need to ensure under the hood is that you request a forwardable ticket.