A non-forwardable kerberos TGT (Ticket Granting Ticket) is generated on login even when the host machine is trusted for kerberos delegation.
On a windows machine the TGT looks like this:
On a Linux machine, after running the command
# kinit -f
the TGT looks like this:
The user account has the account flag enabled "Account is sensitive and cannot be delegated"
This prevents the TGT from being forwardable. The TGT will still be valid for one SSO (Single Sign On) hop, but it will prevent nested SSO hops.