I am trying to isolate the cause of a KRB5KDC_ERR_BADOPTION (13) that I am seeing come back in a WireShark trace.
I have set an SPN to associate xxx/server.fqdn:port with the domain account that the xxx service is running under on the target server (lets call it domain\target). The server service that is will be acting as the delegate is running on a different service account (e.g. domain\delegate). Is this allowed? Or do all of the services need to be running under the same service account (i.e. the service account being used by both the target service and the middle-man service are running with the same AD service account, with appropriate SPNs set up for both services associated to that same AD service account)
No they dont need to be the same. But they do need to be in the same domain. See http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx . You might find http://blogs.technet.com/b/tristank/archive/2007/06/18/kdc-err-badoption-when-attempting-constrained-delegation.aspx useful.