PowerPivot DataRefresh C2WTS

We have a SharePoint 2013 farm on which we installed and configured PowerPivot. Our C2WTS is running on a domain account instead of local system one.

We use a Kerberos-based authentication  and run into the following problem for most of the accounts in place:

Error 

The data connection uses Windows Authentication and user credentials could not be delegated. The following connections failed to refresh:

Using the Claims To Windows NT Token Tester we can see an error during testing UPN of the users. Here's the error displayed:

Retrieving security groups/users allowed to use the service from config file+- WSS_WPG+- NT AUTHORITY\Authenticated Users
Trying to login .........
Using current Windows Credentials
***** c2WTS could not provide a valid Windows Token. Reason: Access is denied.

Server stack trace: 
   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
   at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)
   at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
   at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)

Now Verifying if user MYDOMAIN\SPAdminAccount has rights on c2WTS
 +- User MYDOMAIN\SPAdminAccount has access rights per group/user WSS_WPG. Other groups will not be checked
*** Analysis Complete ***

However, for a few accounts that we have configured constraint delegation in AD our PowerPivot DataRefresh actually works and the tool succeeds in getting a proper windows token. Does anybody have any idea why only for a few accounts we succeed in getting the Windows Token?

Regards

Rafal Saltarski