Configure Resource-Based Kerberos Constrained Delegation for PowerShell Remoting

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

This hands-on lab walks through the process of configuring resource-based Kerberos constrained delegation to solve the PowerShell remoting second hop problem.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Test Access without Kerberos Delegation
  1. Log in to BRAWKS1 using and the same password as the lab details.
  2. Connect to BRAADM1 using PowerShell remoting.
  3. Test access to \BRAFS1Data. You should receive an access denied message.
Configure Resource-Based Kerberos Constrained Delegation

Configure resource-based Kerberos constrained delegation so the administrative server BRAADM1 can delegate credentials to the file server BRAFS1.

Test Access with Resource-Based Kerberos Constrained Delegation
  1. If required, log in to BRAWKS1 using and the same password as the lab details.
  2. Connect to BRAADM1 using PowerShell remoting.
  3. Test access to \BRAFS1Data.
  4. Use the Compress-Archive cmdlet to archive the files in \BRAFS1Data.

Additional Resources


You are a systems administrator at Barrier Reef Audio, a company that focuses on generating text from speech using a range of high-quality audio equipment and machine learning.

You use Windows PowerShell to perform a range of administrative tasks, including managing file servers. Due to network security restrictions, you don’t have unrestricted access to all servers in your environment from your workstation. So instead you typically use PowerShell remoting to access an administrative server that you then use to run commands and scripts from. One of your tasks is to archive files on a file server share to a ZIP file.

When you attempt to access the file server using PowerShell remoting, you find you are denied access. This is commonly referred to as the second hop problem.

In this lab, you will complete the following tasks:

  1. Test access without Kerberos delegation.
  2. Configure resource-based Kerberos constrained delegation.
  3. Test access with resource-based Kerberos constrained delegation.

Lab Setup

In this lab, you will connect to VMs via Remote Desktop. You won't need to access the Azure portal.

Note: To complete this lab, use one of the following Remote Desktop clients:

If you get stuck, feel free to check out the lab objectives, solution videos, or lab guide. Good luck!

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?