Protocol Transition is a handy technology when you have to “convert” a non-Windows credentials to Kerberos.
Since PT does not require to know the password of an account to get a token, access to resources using this token is limited. You only have access to local resources if you have the TCB privilege and to remote resources via constrained delegation.
But sometimes you need access to local resources or, even worse, to access a remote resource you first have to read some local information (remote Performance Counters come to my mind here). And of course it is not recommended to elevate the privileges of your main application to SYSTEM or similar to make Protocol Transition work in these scenarios.
Keith describes an excellent solution how to factor out PT logic into a separate highly privileged process to create the tokens – and also adds some tricky ACL and token handle code – very interesting. Read it here.