In version 4.5.3, the following fix got applied to the httpclient library:
HTTPCLIENT-1736 do not request cred delegation by default when using Kerberos auth.
Contributed by Oleg Kalnichevski <olegk at apache.org>_
Although it says "by default", when looking at the affected code it's not the case (i.e.: there is no way to request if we want it). From our tests and my understanding of Kerberos, if a user account is not allowed to be used for delegation, then you can still request delegation, but when creating the user token, it'll simply not be applied.
In the class "GSSSchemeBase", in the method "createGSSContext", we need the following line added back:
If you insist of leaving it off for a reason I'm not aware of, having a way, maybe through a system property, to say that we want it.
IMHO, one of the main reason for using Kerberos in an enterprise environment is to be able to make use of delegation (double hop scenarios).