I want to allow an application server to impersonate other users by a
limited time.
I know that on win2000 the application server obtains the kerberos TGT

during delegation. win2003 allows also constrained delegation, and I
would use that model if it's possible.

I'm thinking on setting the kerberos server to issue tickets with
reduced lifetime (by setting MaxServiceTicketAge and MaxTicketAge to 20

minutes for example), but I'm not sure if it would work, as I'm not
sure if the TGT isn't renewed automatically on the application server
before it expires.