AZ-800 Question #249: Real Exam Question with Answer & Explanation

Question

Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a user named User1 and the servers shown in the following table. User1 is a member of the Protected Users security group. User1 performs the following actions: - From Server1, establishes a remote PowerShell session on Server2 - From the PowerShell session on Server2, attempts to access a resource on Backup1 The request to access the resource on Backup1 is denied. You need to ensure that User1 can access the resources on Backup1 by using the PowerShell session on Server2. The solution must follow the principle of least privilege and minimize administrative effort. What should you configure?

Options

• AKerberos delegation (unconstrained)
• BCredSSP
• CPSSessionConfiguration by using RunAs
• Dresource-based Kerberos constrained delegation

Explanation

{"question_number": 3, "question_summary": "User1 in Protected Users group cannot access Backup1 through a double-hop PowerShell session", "correct_answer": "D", "explanation": "This is a classic Kerberos 'double-hop' problem: credentials need to flow from Server2 to Backup1, but standard Kerberos authentication does not allow credential forwarding by default. Because User1 is a member of the Protected Users security group, both CredSSP (option B) and unconstrained delegation (option A) are explicitly blocked for security reasons - Protected Users prevents NTLM, CredSSP, and unconstrained delegation. Resource-based Kerberos constrained delegation (RBKCD) configured on Backup1 allows Server2 to authenticate to Backup1 on behalf of User1 without storing or forwarding credentials. It respects Protected Users restrictions, is scoped to only the required resource (least privilege), and requires no changes to Server1 or the user account.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.