As part of my role at Microsoft, I sometimes assist customers in making design decisions with their applications. After understanding what the requirements are for the application, I seek relevant information or resources based on the requirements. Any relevant information I find, I will forward to the customer and outline the advantages and disadvantages of the options available.
One of the things I have been asked to assist on concern whether or not delegating the credentials of the end user to the backend resource in a multi-tier application is suitable. The following is a list of advantages and disadvantages that I think applies under most scenarios. Some of the items are quoted directly from MSDN articles and some are from Microsoft Consultants that I have worked with. I hope this will help you in making a decision as to whether or not Kerberos Delegation is appropriate security model for your application.
Delegation Model Advantages
The main advantages of the Delegation Model are the following:
Delegation Model Disadvantages
The following article describes two architectures that you may employ, Delegation Architecture versus Trusted Subsystem, and lists the advantages and disadvantages of each. Developing Identity-Aware ASP.NET Applicationshttp://www.microsoft.com/technet/security/topics/identity/idmanage/P3ASPD_1.mspx