1
00:00:00,940 --> 00:00:02,960
[Autogenerated] What is the Kerberos Second hot problem.

2
00:00:02,960 --> 00:00:05,470
Well, number one, remember that an active directory.

3
00:00:05,470 --> 00:00:08,590
We're dealing with Kerberos authentication and the second

4
00:00:08,590 --> 00:00:11,690
hot problem occurs when you have a user,

5
00:00:11,690 --> 00:00:12,100
let's say,

6
00:00:12,100 --> 00:00:15,030
an administrator on their workstation and they want to

7
00:00:15,030 --> 00:00:17,610
pass through an intermediary server.

8
00:00:17,610 --> 00:00:18,310
In other words,

9
00:00:18,310 --> 00:00:23,370
the user makes a remoting session with server one with their own credentials,

10
00:00:23,370 --> 00:00:25,670
with their own domain credentials, let's say.

11
00:00:25,670 --> 00:00:27,980
And then from that remoting session,

12
00:00:27,980 --> 00:00:32,900
they attempt to say a nested remoting session to server two or they want to

13
00:00:32,900 --> 00:00:37,730
send a command to server two using their original credentials.

14
00:00:37,730 --> 00:00:39,400
Well, that's the second hot problem.

15
00:00:39,400 --> 00:00:40,860
For security reasons,

16
00:00:40,860 --> 00:00:46,940
Kerberos is not going to delegate or impersonate that user on that second hop.

17
00:00:46,940 --> 00:00:50,540
So that second command that is that command to server

18
00:00:50,540 --> 00:00:52,440
two is going to fail by default.

19
00:00:52,440 --> 00:00:54,670
Now there's a couple workarounds to that.

20
00:00:54,670 --> 00:00:59,500
The one that the exam objectives for aZ 800 call out his credit SSP,

21
00:00:59,500 --> 00:01:02,330
there's some other better options in my humble opinion.

22
00:01:02,330 --> 00:01:05,840
Check the exercise files because I give you some references there,

23
00:01:05,840 --> 00:01:09,330
but the exam specifically mentions the credential security

24
00:01:09,330 --> 00:01:12,610
support provider or cred SSP protocol.

25
00:01:12,610 --> 00:01:16,940
Now this protocol enables unconstrained credential delegation

26
00:01:16,940 --> 00:01:19,710
from the client to the target server for remote.

27
00:01:19,710 --> 00:01:23,370
Now the issue here with credit SSP is that word unconstrained,

28
00:01:23,370 --> 00:01:25,720
which means that the credential passing isn't

29
00:01:25,720 --> 00:01:27,870
restricted to a particular service.

30
00:01:27,870 --> 00:01:33,380
As you'll see in the demo we enable cred SSP on the client and server machines.

31
00:01:33,380 --> 00:01:37,340
The client would be the machine that's passing the credentials and

32
00:01:37,340 --> 00:01:40,030
the server would be the ultimate target of those.

33
00:01:40,030 --> 00:01:44,330
Now, constrained Kerberos delegation is where you can be very intentional,

34
00:01:44,330 --> 00:01:46,790
not only where your clients and servers are,

35
00:01:46,790 --> 00:01:49,020
that's what credit SSP can identify.

36
00:01:49,020 --> 00:01:51,280
But with constrained Kerberos delegation,

37
00:01:51,280 --> 00:01:56,530
you can track it to particular services SSP is just an allow list that

38
00:01:56,530 --> 00:02:04,000
globally allows those credentials to be passed to any service, which obviously is a security sensitive operation.