You need to implement impersonation in the web application along with Kerberos delegation in order for the web app to be able to use the user's credentials to authenticate again to a back end resource on the user's behalf. Check out the various lengthly/detailed articles on MSDN and TechNet about setting up Kerberos delegation.
I recommend that you use constrained delegation. If you cannot get Kerberos login to the web app to work and must have NTLM, you can also configure for protocol transition login to get around this problem (as long as you use constrained delegation too).