Understanding Impersonation
SQL Server and Microsoft Windows can be configured to enable an instance of SQL Server to connect to another instance of SQL Server under the context of an authenticated Windows user. This arrangement is known as impersonation or delegation.
SQL Server Impersonation Within a Domain
Under delegation, the instance of SQL Server to which a Windows user has connected by using Windows Authentication impersonates that user when communicating with another instance of SQL Server or with a SQL Server provider. This second instance or provider can be on the same computer or on a remote computer within the same Windows domain as the first instance.
Security account delegation may be required when you access providers on a different computer for running distributed queries. Enabling delegation for distributed queries involves configuration changes within both SQL Server and Active Directory.
Trusted for Constrained Delegation
Windows Server 2003 supports more specific delegation than earlier versions of Windows. Windows Server 2003 enables the granting of delegation rights to particular combinations of services. These combinations are said to be trusted for constrained delegation. This configuration is the preferred, more secure, configuration in domains that have full Windows Server 2003 functionality.