nerdexam
Microsoft

70-467 · Question #87

You need to ensure that managers can successfully run reports. What should you do?

The correct answer is A. Implement Kerberos delegation.. When SSRS must access a back-end data source on behalf of an authenticated Windows user, Kerberos constrained delegation is required to forward credentials across the double-hop.

Design a reporting solution

Question

You need to ensure that managers can successfully run reports. What should you do?

Options

  • AImplement Kerberos delegation.
  • BConfigure the SSRS data sources to store Windows credentials.
  • CImplement forms-based authentication.
  • DConfigure the CustomData property in the connection strings.

How the community answered

(33 responses)
  • A
    61% (20)
  • B
    12% (4)
  • C
    6% (2)
  • D
    21% (7)

Why each option

When SSRS must access a back-end data source on behalf of an authenticated Windows user, Kerberos constrained delegation is required to forward credentials across the double-hop.

AImplement Kerberos delegation.Correct

SSRS accessing a remote data source on behalf of a Windows-authenticated user involves two authentication hops - from the client to SSRS, then from SSRS to the data source. NTLM cannot forward credentials across network hops, so Kerberos constrained delegation must be configured on the SSRS service account to impersonate users when connecting to the data source. Without this, SSRS fails to authenticate the second hop and managers cannot retrieve report data.

BConfigure the SSRS data sources to store Windows credentials.

Storing Windows credentials in the data source would use a fixed service account rather than the individual manager's identity, which undermines per-user security and would not resolve a delegation failure.

CImplement forms-based authentication.

Forms-based authentication replaces Windows authentication entirely and does not resolve the Kerberos double-hop problem for back-end data source access.

DConfigure the CustomData property in the connection strings.

The CustomData property passes an extra string token to a data source for row-level security filtering; it does not address authentication delegation failures.

Concept tested: Kerberos constrained delegation for SSRS double-hop

Source: https://learn.microsoft.com/en-us/sql/reporting-services/report-server/configure-windows-authentication-on-the-report-server

Topics

#Kerberos delegation#SSRS authentication#double-hop authentication#Windows authentication

Community Discussion

No community discussion yet for this question.

Full 70-467 Practice