• GWB
  • New member
  • Offline

Topic: Microsoft AZ-800 topic 2 question 21

You have an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server.

You sign in to Server1 by using a domain account and start a remote PowerShell session to Server2. From the remote PowerShell session, you attempt to access a resource on Server3, but access to the resource is denied.

You need to ensure that your credentials are passed from Server1 to Server3. The solution must minimize administrative effort.

What should you do?

A.
Configure Kerberos constrained delegation.
B.
Configure Just Enough Administration (JEA).
C.
Configure selective authentication for the domain.
D.
Disable the Enforce user logon restrictions policy setting for the domain.

Re: Microsoft AZ-800 topic 2 question 21

To ensure that your credentials are passed from Server1 to Server3 while minimizing administrative effort, you should configure Kerberos constrained delegation.

Therefore, the correct answer is:

A. Configure Kerberos constrained delegation.

  • Kuikz
  • New member
  • Offline

Re: Microsoft AZ-800 topic 2 question 21

I will go with A, because the Questions says to minimize administrative effort.
The table in the liked source states, that Just Enough Administration (JEA) can provide the best security but requires more detailed configuration.

https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3

  • fbx01
  • New member
  • Offline

Re: Microsoft AZ-800 topic 2 question 21

Configure Kerberos constrained delegation.

Re: Microsoft AZ-800 topic 2 question 21

I agree with B. In order to do Kerberos Constrained Delegation, you need domain admin permissions where it only mentions that you have a domain account. If it stated resource-based KCD then I would go with that but since not, then JEA it is according to Microsoft's preference list:
https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3

Re: Microsoft AZ-800 topic 2 question 21

Option A, Configure Kerberos constrained delegation, would be the best solution for passing your credentials from Server1 to Server3. This option allows you to specify which services can use Kerberos to delegate the user’s credentials to another service 1. By configuring constrained delegation, you can ensure that your credentials are passed from Server1 to Server3, and you can minimize administrative effort.

Re: Microsoft AZ-800 topic 2 question 21

FROM MS:

Just Enough Administration (JEA)
JEA allows you to restrict what commands an administrator can run during a PowerShell session. It can be used to solve the second hop problem.

Re: Microsoft AZ-800 topic 2 question 21

Configuring Kerberos constrained delegation allows you to pass your credentials from Server1 to Server3 when accessing a resource. Constrained delegation is a Kerberos feature that restricts the servers to which a service can delegate a user's credentials. This ensures that the delegation is secure and limited to specific services.

Re: Microsoft AZ-800 topic 2 question 21

I would edge towards A on this one.   Solution to minimise administrative effort.

https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3