Exam
Answer confirmed
Question
You have an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server.
You sign in to Server1 by using a domain account and start a remote PowerShell session to Server2. From the remote PowerShell session, you attempt to access a resource on Server3, but access to the resource is denied.
You need to ensure that your credentials are passed from Server1 to Server3. The solution must minimize administrative effort.
What should you do?
Proposed answer
- A. Configure Kerberos constrained delegation.
- B. Configure Just Enough Administration (JEA).
- C. Configure selective authentication for the domain.
- D. Disable the Enforce user logon restrictions policy setting for the domain.
Correct answer
- A. Configure Kerberos constrained delegation.
Ksk08
3 weeks ago
A: kerberos
upvoted 1 times
SIAMIANJI
6 months, 3 weeks ago
Selected Answer: A
To ensure that your credentials are passed from Server1 to Server3 while minimizing administrative effort, you should configure Kerberos constrained delegation. Therefore, the correct answer is: A. Configure Kerberos constrained delegation.
upvoted 4 times
Kuikz
7 months, 3 weeks ago
Selected Answer: A
I will go with A, because the Questions says to minimize administrative effort. The table in the liked source states, that Just Enough Administration (JEA) can provide the best security but requires more detailed configuration. https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
upvoted 2 times
fbx01
9 months, 2 weeks ago
Selected Answer: A
Configure Kerberos constrained delegation.
upvoted 1 times
bdbea79
10 months, 1 week ago
Selected Answer: B
I agree with B. In order to do Kerberos Constrained Delegation, you need domain admin permissions where it only mentions that you have a domain account. If it stated resource-based KCD then I would go with that but since not, then JEA it is according to Microsoft's preference list: https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
upvoted 3 times
sardonique
3 months, 1 week ago
a domain account without admin privileges cannot configure KCD, do you think that same account can configure JEA? good luck!
upvoted 1 times
rknichols01
10 months, 2 weeks ago
Option A, Configure Kerberos constrained delegation, would be the best solution for passing your credentials from Server1 to Server3. This option allows you to specify which services can use Kerberos to delegate the user’s credentials to another service 1. By configuring constrained delegation, you can ensure that your credentials are passed from Server1 to Server3, and you can minimize administrative effort.
upvoted 3 times
dolphan904
11 months, 1 week ago
FROM MS: Just Enough Administration (JEA) JEA allows you to restrict what commands an administrator can run during a PowerShell session. It can be used to solve the second hop problem.
upvoted 2 times
Aliabdo
1 year ago
Selected Answer: A
Configuring Kerberos constrained delegation allows you to pass your credentials from Server1 to Server3 when accessing a resource. Constrained delegation is a Kerberos feature that restricts the servers to which a service can delegate a user's credentials. This ensures that the delegation is secure and limited to specific services.
upvoted 2 times
cb0900
1 year ago
Selected Answer: A
I would edge towards A on this one. Solution to minimise administrative effort. https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
upvoted 2 times