139k views
5 votes
Your network contains an Active Directory domain named . All domain controllers run Windows Server 2012. The domain contains two servers. The servers are configured as shown in the following table. Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an application pool named WebApp1. WebApp1 uses a group Managed Service Account named gMSA1 as its identity. Domain users connect to Web1 by using either the name or the alias . You discover the following: When the users access Web1 by using , they authenticate by using Kerberos. When the users access Web1 by using , they authenticate by using NTLM. You need to ensure that the users can authenticate by using Kerberos when they connect by using . What should you do? A. Modify the properties of the WebApp1 application pool. B. Run the Add-ADComputerServiceAccount cmdlet. C. Modify the properties of the Web1 website. D. Modify the properties of the gMSA1 service account.

User Jlhuertas
by
7.4k points

1 Answer

6 votes

Final answer:

To ensure Kerberos authentication when accessing a website through an alias, you should run the setspn command to add the alias as a Service Principal Name (SPN) to the gMSA1 service account.

Thus, the correct option is C.

Step-by-step explanation:

The issue where domain users authenticate via Kerberos when accessing the load-balanced website Web1 using the hostname web1.contoso.com, but default to NTLM authentication when using the alias webalias.contoso.com, can be resolved by ensuring that the Service Principal Name (SPN) is properly configured for the alias used by the website. In this situation, the appropriate course of action would be to:

Run the setspn command to add the alias as an SPN to the gMSA1 service account.

By doing so, you are associating the correct SPN with the service account, which should allow Kerberos authentication when accessing the website through the alias.

This is necessary because Kerberos relies on SPNs to associate a service instance with a service logon account. When a user accesses Web1 using webalias.contoso.com, the Kerberos authentication will look for an SPN matching that name, and if it doesn't find one, it falls back to NTLM authentication.

Modifying the properties of the application pool or the website will not add an SPN, and running the Add-ADComputerServiceAccount cmdlet is not required as the account is already a managed service account and effectively being used by the servers.

Therefore, the correct option is C. Modify the properties of the Web1 website.

User Ivan Coronado
by
7.6k points