Question 3 - Microsoft Azure AZ-800 Real Exam Questions [March 2026 Update]

Q: 3

You have an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server 1, Server2, and Server3 that run Windows Server. You sign in to Server1 by using a domain account and start a remote PowerShell session to Server2. From the remote PowerShell session, you attempt to access a resource on Server3. but access to the resource is denied. You need to ensure that your credentials are passed from Server1 to Server3. The solution must minimize administrative effort. What should you do?

Options

Discussion

Aisha Mar 5, 2026 12:49 am

Option A makes sense here since it's the double-hop issue with PowerShell remoting. Kerberos constrained delegation lets Server2 pass your credentials on to Server3 securely. I think that's the least work for admins too, but open if anyone sees a catch.

Jordan B. Feb 18, 2026 2:26 pm

I don’t think it’s D. 6516 is used if you pick a custom port, but here the question says default install. A makes sense since Windows Admin Center listens on 443 out of the box for HTTPS. Some might confuse it with RDP (3389) but that's not needed for WAC. Pretty sure A is right, unless I missed something.

Olivia Feb 28, 2026 11:34 am

I’d say A, since default WAC gateway uses 443, not 6516 like some might assume.

Ava C. Feb 14, 2026 2:15 pm

A is what I've seen in similar exam reports, Windows Admin Center defaults to 443 unless you set something custom.

Morgan Feb 24, 2026 2:34 am

A , 3389 is RDP and D is a common trap here.

Leo E. Mar 2, 2026 1:43 am

A tbh

Priya V. Feb 18, 2026 11:49 pm

Option D seems possible if the defaults were actually changed during setup. I remember reading that 6516 is sometimes used for Windows Admin Center but not by default. Pretty sure A is right if you go with a standard install, but I might be mixing that up.

MethodicalSec5200 Feb 18, 2026 3:08 pm

Probably A, 3389 is tempting but that's for RDP not WAC, seen similar in practice tests.

Luke Feb 26, 2026 7:22 pm

Vikram V. Mar 1, 2026 11:05 pm

Yeah A is the way to go here, since Windows Admin Center uses 443 by default for web access. If you picked something else during setup, it could be different, but defaults mean HTTPS. Anyone see this behave differently?

Be respectful. No spam.

Correct Answer:

Explanation

The scenario describes a classic "double-hop" authentication problem. The user authenticates from Server1 to Server2 (the first hop), but the credentials are not forwarded from Server2 to access resources on Server3 (the second hop). This is a security feature to prevent credential exposure.

Kerberos constrained delegation (KCD) is the standard and most secure mechanism to resolve this issue. By configuring KCD, you explicitly grant Server2 permission to impersonate the user and present their delegated credentials to specific services on Server3. This allows the command running on Server2 to authenticate to Server3 as the original user, resolving the access denied error with minimal and targeted administrative effort.

Why Incorrect

B. Configure Just Enough Administration (JEA).

JEA is a security technology used to limit administrative capabilities to the bare minimum required for a role; it does not solve the double-hop credential delegation problem.

C. Configure selective authentication for the domain.

Selective authentication is a security setting applied to forest trusts to control which users from a trusted forest can authenticate. This scenario involves a single domain, not a forest trust.

D. Disable the Enforce user logon restrictions policy setting for the domain.

This policy setting relates to enforcing user logon hours. It has no impact on how credentials are delegated between servers in a multi-hop scenario.

References

1. Microsoft Learn. (2023). Making the second hop in PowerShell Remoting. "The Double-Hop Problem... By default

your credentials can only be passed to one remote machine... To make the 'second hop'

you need to enable a credential-forwarding technology... The most secure way to do this is with Kerberos constrained delegation."

Reference: Section "The Double-Hop Problem" and "Kerberos Delegation".

2. Microsoft Learn. (2023). Kerberos Constrained Delegation overview. "Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services. When it's configured

constrained delegation restricts the services to which the specified server can act on behalf of a user."

Reference: "Introduction" section.

3. Microsoft Learn. (2023). Just Enough Administration. "Just Enough Administration (JEA) is a security technology that enables delegated administration for anything that can be managed with PowerShell. With JEA

you can reduce the number of administrators on your machines and improve your security posture."

Reference: "What is JEA?" section.

4. Microsoft Learn. (2023). Security settings for trust relationships. "Selective authentication over a forest trust restricts access to resources in a trusting domain to only those users in a trusted domain who have been explicitly given authentication permissions to the computers in the trusting domain."

Reference: "Selective authentication" section.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE