70-411 Test Bank, Lesson 15 Configuring Service Authentication16 Multiple Choice 6 Short Answer 4 Best Answer 3 Build List 4 Repeated Answer 33 questions Multiple Choice 1. What is the default authentication protocol for non-domain computers? a. NTLM b. PAP c. CHAP d. Kerberos Answer: a Difficulty: Easy Section Ref: Configuring Server Authentication Explanation: Although Kerberos is the default authentication protocol for today’s domain computers, NTLM is the default authentication protocol for Windows NT, standalone computers that are not part of a domain, and situations in which you authenticate to a server using an IP address. 2. What does the acronym NTLM stand for? a. NT Link Messenger b. NT Link Manager c. NT LAN Manager d. NT LAN Messenger Answer: c Difficulty: Easy Section Ref: Understanding NTLM Authentication Explanation: NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. 3. NTLM uses a challenge-response mechanism for authentication without doing what? Every host on the network has its own secret key. 15 minutes d.a. 45 minutes Answer: b Difficulty: Medium . a simple Microsoft-only protocol c. 6. a certificate-based authentication protocol Answer: a Difficulty: Medium Section Ref: Managing Kerberos Explanation: Kerberos is a computer network authentication protocol that allows hosts to prove their identity securely over a non-secure network. a uni-directional authentication protocol d. What is the default maximum allowable time lapse between domain controllers and client systems for Kerberos to work correctly? a. sending a password to the server d. security and authentication are based on secret-key technology. sending an encrypt/decrypt message to the server Answer: c Difficulty: Medium Section Ref: Understanding NTLM Authentication Explanation: NTLM uses a challenge-response mechanism for authentication in which clients can prove their identities without sending a password to the server. Kerberos security and authentication are based on what type of technology? a. revealing the protocol to the server c. challenge-response d. 1 minute b. 5. a secure network authentication protocol b. 4. secret key c. secure transmission b. revealing the client’s operating system to the server b. 5 minutes c. What type of protocol is Kerberos? a. legacy code Answer: b Difficulty: Medium Section Ref: Managing Kerberos Explanation: With Kerberos. The client receives an access denied error. Which tool can you use to add SPNs to an account? a. 7. no service ticket can be established and the client throws an access denied error. service name. 8. Notepad b. c. The Kerberos server receives an access denied error. the host name. service name. service class. and the port (if port 80 is not used). and port number b. Windows operating systems include the Time Service tool (W32Time service). Microsoft Word d. The Kerberos ticket for that service is destroyed. URL. host name. Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time parameters. LDAP c. IP address. b. service name. What happens if a client submits a service ticket request for an SPN that does not exist in the identity store? a. and host name c. d. and IP address d. 9. ADSI Edit Answer: d Difficulty: Easy Section Ref: Managing Service Principal Names Explanation: You can use ADSI Edit to add SPNs to an account. the domain controllers and clients must have the same time. Which three components make up a service principal name (SPN)? a. such as HTTP (which includes both the HTTP and HTTPS protocols) or SQLService. host name. .Section Ref: Managing Kerberos Explanation: For all of this to work and to ensure security. An event is written to the Kerberos server’s event log. The default is five minutes. Answer: b Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: If a client submits a service ticket request for an SPN that does not exist in the identity store. and port number Answer: d Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: The SPN consists of three components: the service class. the editor runs from the domain controller Answer: a and d Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: To configure an SPN for a service or application pool account. Identify another utility that you can use to add SPNs to an account. network Answer: c Difficulty: Easy Section Ref: Managing Service Accounts Explanation: A service account is an account under which an operating system. dnscmd b. process. you must have domain administrative permissions or a delegation to modify the ServicePrincipalName property. processes. and services. Domain Administrator privileges b. What type of account is an account under which an operating system. full control permissions for the folder c.10. process. 11. system c. 12. netsh Answer: c Difficulty: Easy Section Ref: Managing Service Principal Names Explanation: You can use setspn.exe to add SPNs to an account. What are the two restrictions for adding SPNs to an account? a. When creating accounts for operating systems. or service runs? a. spnedit c. user b. you should always configure them with what two things in mind? a. a. or service runs. service d. 13. You also must run ADSI Edit from a domain controller. using strong passwords b. using cryptic user names . local administrator privileges d. setspn d. simplified SPN management d. standard local service accounts c. granting the least rights possible d. Name two benefits to using Managed Service Accounts (MSAs). NT Service\servicename d. and share permissions) that it needs to perform its necessary tasks. Windows Server 2012. automatic password management c. 15. and Windows Server 2012 R2? a. 16. Which of the following is the format for a virtual account used with Windows Server 2008 R2. standalone MSAs b. 14. Also. using built-in accounts Answer: a and c Difficulty: Medium Section Ref: Creating and Configuring Service Accounts Explanation: To reduce the risk of using service accounts. simplified account troubleshooting Answer: b and c Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: To simplify administration. NT Service\servicename$ Answer: c . give the account the least amount of access (user rights. a. group MSAs d. NTFS permissions. By default. MSAs provide automatic password management and simplified SPN management. domain user accounts designated as service accounts Answer: c Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: The Windows PowerShell cmdlets default to managing the group Managed Service Accounts rather than the original standalone MSAs. which service accounts will the Windows PowerShell cmdlets manage? a. computername\servicename c. you should use a strong password for the service account and make sure that the password changes often.c. Microsoft technology b. domainname\servicename b. Difficulty: Medium Section Ref: Managing Kerberos Explanation: When the client connects to a server or service. the domain controllers and clients must have the same time. Answer: Kerberos uses the current ticket to prove authentication and Kerberos can also perform double-hop authentication. and simplified SPN management. Systems need to be time synchronized within a certain amount of lapse. Answer: Complicated. including automatic password management. which service needs to be accurate and generally synchronized between systems? Answer: The Time Service. As a result. such as requiring a service principal name (SPN) for the domain account.Difficulty: Medium Section Ref: Configuring Virtual Accounts Explanation: A virtual account is an account that emulates a Network Service account that has the name NT Service\servicename. Short Answer 17. which requires additional configuration. it is also more complicated than NTLM. Windows operating systems include the Time Service tool (W32Time service). The virtual account has simplified service administration. Difficulty: Medium Section Ref: Managing Kerberos Explanation: Although Kerberos is more secure than NTLM. Kerberos uses the current client ticket proving that the client is authenticated. For Kerberos to work properly. Both of these Kerberos benefits improve authentication performance. Kerberos also can perform a double-hop authentication. . 19. 18. Name the two ways that Kerberos authentication improves overall authentication performance. the service does not have to perform authentication to a domain controller. Difficulty: Medium Section Ref: Managing Kerberos Explanation: For all of this to work and to ensure security. Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time parameters. Kerberos is more secure than NTLM but it is also more __________________. Kerberos requires additional configuration. you can configure Kerberos constrained delegation. A service or application that is secured by Kerberos must have an identity in the domain. where you specify the services to which a ticket can be forwarded Difficulty: Medium Section Ref: Managing Kerberos Explanation: To secure the double-hop authentication. Constrained delegation restricts which services are allowed to delegate user credentials by specifying—for each application pool or service—the services to which a Kerberos ticket can be forwarded. What is meant by the term double-hop authentication? Answer: Kerberos forwards the authentication ticket from one service to another to prove authentication. NTLM b. CHAP d. Kerberos Answer: d Difficulty: Easy Section Ref: Configuring Server Authentication Explanation: Although Kerberos is the default authentication protocol for today’s domain computers. How do you make double-hop authentication more secure? Answer: By using constrained delegation. which forwards Kerberos tickets from one service to a supporting service. PAP c. Best Answer 23. Difficulty: Easy Section Ref: Managing Service Principal Names Explanation: A service or application that is secured by Kerberos must have an identity—a user account or computer account—within the realm (in this case. What is the default authentication protocol for contemporary domain computers? a. NTLM is the default authentication protocol for Windows NT. 21. Difficulty: Medium Section Ref: Managing Kerberos Explanation: Kerberos can perform a double-hop authentication. What is an identity? Answer: An identity is a user account or a computer account. the domain) that the system exists on. . 22.20. service principal name Answer: d Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. 26. 24. log on interactively b. The account will be given the Log On As Service right. a. What is the name by which a client uniquely identifies an instance of a service? a. domain administrator d. you must create what? a. What service right does an MSA account automatically receive upon creation? a. service account name c. . 25. a key services MSA distributed domain account c. domain power user Answer: b Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: On the Log On tab. and situations in which you authenticate to a server using an IP address. service provider name d. Build List 27. Before you can create an MSA object type. a key services MSA group b. a key distribution services root key d. Order the following steps required to use the SPN with a service. service instance name b.standalone computers that are not part of a domain. a key distribution services Master MSA Answer: c Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: Before you can create an MSA object type. confirm that the name appears with a dollar sign ($). you need to create a key distribution services root key for the domain. Connect to the domain. log on as a service c. d. maximum lifetime for service ticket b. and then expand the nodes representing the OUs. g. d. Open the Service console. Create the new user account. Answer: B A C E D Difficulty: Easy Section Ref: Creating and Configuring Service Accounts Explanation: Refer to the steps shown under Create a Service Account. Open the OU where you want to add the user account. Add SPN to the service account. c. a. c. c. Which Kerberos setting defines the maximum time skew that can be tolerated between a ticket’s timestamp and the current time at the KDC? a.b. e. Restart the service. Clear the Password and Confirm password text boxes. Open the ADSI Edit console. b. expand the domain. Click the Log On tab. Select the OU where the service account exists. Select This account option and enter the name of the service account. f. d. Open the service to show the properties. e. Order the following steps required to create a service account. Expand Default Naming Context in the console tree. Answer: C A B E D Difficulty: Easy Section Ref: Managing Service Principal Names Explanation: Refer to the steps outlined in the Use the Managed Service Account with a Service. Open Active Directory Users and Computers. 28. b. 29. a. Select Password never expires. Repeated Answer 30. Order the following steps required to use the MSA with a service. Open the Domain node. Answer: F A D G E B C Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: Refer to the steps required in Use the MSA with a Service. maximum lifetime for user ticket . Select Log On As a Service. e. c. Which Kerberos setting defines how long a service or user ticket can be renewed? a. maximum lifetime for user ticket renewal d. maximum tolerance for computer clock synchronization Answer: a Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum lifetime for service ticket defines the maximum lifetime of a service ticket (Kerberos ticket). maximum lifetime for user ticket renewal d. maximum tolerance for computer clock synchronization Answer: b Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum lifetime for user ticket defines the maximum lifetime ticket for a Kerberos TGT ticket (user ticket). maximum lifetime for user ticket renewal d. The default lifetime is 10 hours. 31. maximum lifetime for user ticket c. The default lifetime is 10 hours. maximum tolerance for computer clock synchronization Answer: d Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum tolerance for computer clock synchronization defines the maximum time skew that can be tolerated between a ticket’s timestamp and the current time at the KDC. maximum lifetime for user ticket c. Which Kerberos setting defines the maximum lifetime of a Kerberos ticket? a. maximum lifetime for service ticket b. 32. Which Kerberos setting defines the maximum lifetime ticket for a Kerberos TGT ticket? a. 33. maximum lifetime for service ticket b. maximum lifetime for user ticket renewal d. Kerberos uses a timestamp to protect against replay attacks. maximum tolerance for computer clock synchronization . maximum lifetime for service ticket b. maximum lifetime for user ticket c. The default setting is 5 minutes. .Answer: c Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum lifetime for user ticket renewal defines how long a service or user ticket can be renewed. it can be renewed up to 7 days. By default.