Forwardable tickets work like a power of attorney. There are similar bad consequences if the person holding a power of attorney decides not to act in the best interests of the client.
Domain controllers do not accept forwarded tickets from just any server. A domain controller accepts forwarded Kerberos tickets only from servers that are flagged in Active Directory as Trusted for Delegation. An administrator must make this configuration change manually. The option is set via Active Directory Users and Computers à Domain Controllers à Computer à Properties.
When a server has been trusted for delegation, it is free to obtain forwardable session tickets and ticket-granting tickets from any client and then submit them to a domain controller on behalf of the client. This permits an unscrupulous person to put a service on a trusted server and then impersonate users and steal information or do harm to the system in the user's security context. These kinds of malicious services are called Trojan horses.
Assign the Trusted for Delegation option with caution. Make absolutely sure that you have tight physical and virtual security on a server before configuring it to be trusted for delegation. All it takes is one improper download of an executable or ActiveX control or script from the Internet to install a Trojan horse on a server.