Kerberos does not check the service name for constrained delegation (i.e. it only checks what account is running the service), so if a service account is configured for constrained delegation to CIFS, then that service account can technically request a TGS to LDAP on the same target server, since both CIFS and LDAP runs under the same machine account. The ticket to LDAP can then be used to perform a DCSync attack.
To exploit this loophole, add an /altservice:[target-service]
when exploiting constrained delegation: