Final answer:
To ensure Kerberos authentication when accessing a website through an alias, you should run the setspn command to add the alias as a Service Principal Name (SPN) to the gMSA1 service account.
Thus, the correct option is C.
Step-by-step explanation:
The issue where domain users authenticate via Kerberos when accessing the load-balanced website Web1 using the hostname web1.contoso.com, but default to NTLM authentication when using the alias webalias.contoso.com, can be resolved by ensuring that the Service Principal Name (SPN) is properly configured for the alias used by the website. In this situation, the appropriate course of action would be to:
Run the setspn command to add the alias as an SPN to the gMSA1 service account.
By doing so, you are associating the correct SPN with the service account, which should allow Kerberos authentication when accessing the website through the alias.
This is necessary because Kerberos relies on SPNs to associate a service instance with a service logon account. When a user accesses Web1 using webalias.contoso.com, the Kerberos authentication will look for an SPN matching that name, and if it doesn't find one, it falls back to NTLM authentication.
Modifying the properties of the application pool or the website will not add an SPN, and running the Add-ADComputerServiceAccount cmdlet is not required as the account is already a managed service account and effectively being used by the servers.
Therefore, the correct option is C. Modify the properties of the Web1 website.