and want to be sure that I have the main points clearly in mind. My previous blog on Kerberos is here. http://software-smith.blogspot.com/2010/02/using-kerberos-with-moss-2007-and.html
1. Service Apps only use C2WTS if incoming auth is classic or Windows claims.
2. Reporting Services is not claims aware, needs classic Kerberos as does RSS viewer with authenticated feed.
3. When C2WTS with Kerberos, must use constrained delegation. eg. Excel, PerfomancePoint, InfoPath, Visio services. All require C2WTS with Kerberos. Cannot cross domain boundaries.
4. Basic delegation: BDC, Access, Reporting, Project. Can cross domain boundaries, no protocol transition.
5. According to the documentation PowerPivot is claims aware and does not need delegation. It uses C2WTS to get Windows Identity to connect to AS Vertipaq. On refresh Vertipaq/PP service uses SSS and NTLM to connect to data source, there would only be a need for Kerberos if this SQL was linked to a second SQL server. PowerPivot refresh and data collection requires classic authentication. I think the statement that PowerPivot is claims aware is wrong.
6. In multihop scenarios, cannot change from Constrained to Basic delegation.
7. SharePoint does not support Kernel mode authentication.
8. Cross forest Kerberos delegation is not possible, even with trusts.
