When a principal enables delegation or becomes an intermediary in a delegation chain, the principal may specify target and delegate restrictions. Target restrictions identify the server principals (by UUID) to which the identities in a delegation chain can be projected. Delegate restrictions identify the server principals that can further project the delegation chain.
If a target restriction prohibits a server from seeing an identity in a delegation chain, the security runtime replaces that identity with the identity of the anonymous principal. If a delegate restriction prohibits a principal from being an intermediary in a chain, then the security runtime replaces that principal's identity with the identity of the anonymous principal. This replacement with the anonymous identity allows the authenticated RPC call to complete. Whether the operation requested by the delegation chain is performed can be controlled by ACL entries that grant permission to the anonymous principal on the objects that are the targets of the delegated operation.
If no delegate restrictions are supplied, any principal can be an intermediary in the delegation chain. If any delegate restrictions are supplied, then only those supplied can further transmit the delegation chain.
Note: In the current release of DCE, there is no way for a server to register its DCE credentials with the RPC runtime. Only a server name and key table can currently be registered. Because of this limitation, target restrictions are currently implemented so that all target servers see anonymous credentials for any EPAC that contains any target restriction regardless of the identity specified in the restriction.
More:
Target and Delegate Restriction Syntax