Regis Baccaro shows how to allow non-domain admins to configure Kerberos Constrained Delegation:
Now I need to add some special permissions to computer objects, so I click Add again. Once again, I’ll select the DBA group, then I need to switch to Descendant Computer objects. I click Write and then scroll down until I see Validated write to service principal name. I’ll click the box to enable it, and then OK, OK, and OK.
The end result looks like below :
2 permissions for DBA group,
-
All descendants objects : Write all properties
-
Descendant computer objects : Validate write to Service Principal Name
Regis has the whole process documented well, so check it out.