1. What happens after a user successfully authenticates with a certificate via PKINIT?
They receive a special certificate-based session that is tracked separately from Kerberos They receive a standard Kerberos TGT that is functionally identical to one obtained through password authentication They receive a temporary access token that must be renewed with the certificate every hour They receive access only to certificate-protected services, not to standard Kerberos services 2. An organization resets a compromised Domain Admin's password. According to the lesson, what happens to certificates previously issued for that identity?
The certificates are automatically invalidated because they are tied to the password The certificates remain valid and can still be used to obtain TGTs until they expire or are explicitly revoked The certificates become read-only and can no longer be used for authentication The certificates are valid but the KDC will reject them because the password hash changed 3. What is Schannel authentication and when would an attacker use it?
A replacement for PKINIT that provides stronger authentication guarantees Certificate authentication over TLS, primarily via LDAPS, used as a fallback when PKINIT is unavailable A method for intercepting certificate authentication traffic on the network A Windows-specific encryption protocol that replaces TLS for internal communications 4. The lesson describes certificate-based authentication as an 'alternative door to the same building.' What does this mean?
Certificate authentication gives access to different resources than password authentication PKINIT provides an alternative way to obtain the same Kerberos TGT, and the alternative path may have weaker controls Certificate authentication requires physical access to a separate server Certificates can only be used after password authentication has already succeeded 5. Why does the lesson say that certificate-based authentication is 'often less monitored' than password-based authentication?
Because certificate authentication does not generate any logs Because PKINIT authentication looks like legitimate Kerberos traffic, making it harder to distinguish from normal authentication Because certificates are encrypted and cannot be inspected by network monitoring tools Because most organizations disable logging for certificate-based authentication