AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam
Eager to master hybrid server management? Discover how to administer Windows Server Hybrid Core Infrastructure on Azure, setting your path towards the Microsoft Certified: Azure Hybrid Infrastructure Administrator Associate certification!
Practice Test
Intermediate
Practice Test
IntermediateConfigure PowerShell remoting, including second hop
Implement and Secure Second Hop Remoting
Multi-hop PowerShell remoting lets administrators connect to one server and then use that session to reach another server. This is crucial in hybrid environments where you manage both on-premises and Azure machines. With second hop remoting, you can perform actions on a target server that requires your user credentials. However, this raises security concerns because credentials need to travel across multiple machines.
Two common methods for enabling secure credential delegation are CredSSP and Kerberos constrained delegation. CredSSP (Credential Security Support Provider) is easier to configure but delegates full credentials to the remote host. In contrast, Kerberos constrained delegation gives you finer control by limiting which services can impersonate a user. Choosing between them depends on your security needs and the complexity you’re willing to manage.
When setting up Kerberos constrained delegation, you must handle several tasks carefully:
- Register the correct Service Principal Names (SPNs) for each service you’ll access.
- Adjust Active Directory to grant delegation permissions only to the required accounts or computer objects.
- Update firewall rules to allow the necessary ports and protocols between your on-premises network and Azure virtual networks.
Finally, always verify that your configuration works as expected. Start a multi-hop session and run commands that require delegation, ensuring no errors appear. Monitor event logs and PowerShell transcript logs to track authentication flow. By following these steps, you’ll maintain secure and reliable second hop remoting in your hybrid Windows Server environment.
Conclusion
Configuring second hop remoting lets you manage multiple servers seamlessly in hybrid Azure and on-premises setups. You learn to choose between CredSSP for ease or Kerberos constrained delegation for stronger security. Properly registering SPNs, delegating permissions, and opening firewall ports are key steps in the process. Finally, thorough testing and monitoring ensure your credential delegation remains both effective and secure.