You are on page 1of 11

70-411 Test Bank, Lesson 15 Configuring Service Authentication

16 Multiple Choice
6 Short Answer
4 Best Answer
3 Build List
4 Repeated Answer
33 questions

Multiple Choice
1. What is the default authentication protocol for non-domain computers?
a. NTLM
b. PAP
c. CHAP
d. Kerberos
Answer: a
Difficulty: Easy
Section Ref: Configuring Server Authentication
Explanation: Although Kerberos is the default authentication protocol for todays
domain computers, NTLM is the default authentication protocol for Windows NT,
standalone computers that are not part of a domain, and situations in which you
authenticate to a server using an IP address.
2. What does the acronym NTLM stand for?
a. NT Link Messenger
b. NT Link Manager
c. NT LAN Manager
d. NT LAN Messenger
Answer: c
Difficulty: Easy
Section Ref: Understanding NTLM Authentication
Explanation: NT LAN Manager (NTLM) is a suite of Microsoft security protocols that
provides authentication, integrity, and confidentiality to users.
3. NTLM uses a challenge-response mechanism for authentication without doing
what?

a. revealing the clients operating system to the server


b. revealing the protocol to the server
c. sending a password to the server
d. sending an encrypt/decrypt message to the server
Answer: c
Difficulty: Medium
Section Ref: Understanding NTLM Authentication
Explanation: NTLM uses a challenge-response mechanism for authentication in
which clients can prove their identities without sending a password to the server.
4. What type of protocol is Kerberos?
a. a secure network authentication protocol
b. a simple Microsoft-only protocol
c. a uni-directional authentication protocol
d. a certificate-based authentication protocol
Answer: a
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: Kerberos is a computer network authentication protocol that allows
hosts to prove their identity securely over a non-secure network.
5. Kerberos security and authentication are based on what type of technology?
a. secure transmission
b. secret key
c. challenge-response
d. legacy code
Answer: b
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: With Kerberos, security and authentication are based on secret-key
technology. Every host on the network has its own secret key.
6. What is the default maximum allowable time lapse between domain controllers
and client systems for Kerberos to work correctly?
a. 1 minute
b. 5 minutes
c. 15 minutes
d. 45 minutes
Answer: b
Difficulty: Medium

Section Ref: Managing Kerberos


Explanation: For all of this to work and to ensure security, the domain controllers
and clients must have the same time. Windows operating systems include the Time
Service tool (W32Time service). Kerberos authentication will work if the time
interval between the relevant computers is within the maximum enabled time
parameters. The default is five minutes.
7. Which three components make up a service principal name (SPN)?
a. service name, IP address, and port number
b. service name, URL, and host name
c. service name, host name, and IP address
d. service class, host name, and port number
Answer: d
Difficulty: Medium
Section Ref: Managing Service Principal Names
Explanation: The SPN consists of three components: the service class, such as HTTP
(which includes both the HTTP and HTTPS protocols) or SQLService, the host name,
and the port (if port 80 is not used).
8. What happens if a client submits a service ticket request for an SPN that does not
exist in the identity store?
a. An event is written to the Kerberos servers event log.
b. The client receives an access denied error.
c. The Kerberos server receives an access denied error.
d. The Kerberos ticket for that service is destroyed.
Answer: b
Difficulty: Medium
Section Ref: Managing Service Principal Names
Explanation: If a client submits a service ticket request for an SPN that does not
exist in the identity store, no service ticket can be established and the client throws
an access denied error.
9. Which tool can you use to add SPNs to an account?
a. Notepad
b. LDAP
c. Microsoft Word
d. ADSI Edit
Answer: d
Difficulty: Easy
Section Ref: Managing Service Principal Names
Explanation: You can use ADSI Edit to add SPNs to an account.

10. What are the two restrictions for adding SPNs to an account?
a. Domain Administrator privileges
b. full control permissions for the folder
c. local administrator privileges
d. the editor runs from the domain controller
Answer: a and d
Difficulty: Medium
Section Ref: Managing Service Principal Names
Explanation: To configure an SPN for a service or application pool account, you must
have domain administrative permissions or a delegation to modify the
ServicePrincipalName property. You also must run ADSI Edit from a domain
controller.
11. Identify another utility that you can use to add SPNs to an account.
a. dnscmd
b. spnedit
c. setspn
d. netsh
Answer: c
Difficulty: Easy
Section Ref: Managing Service Principal Names
Explanation: You can use setspn.exe to add SPNs to an account.
12. What type of account is an account under which an operating system, process,
or service runs?
a. user
b. system
c. service
d. network
Answer: c
Difficulty: Easy
Section Ref: Managing Service Accounts
Explanation: A service account is an account under which an operating system,
process, or service runs.
13. When creating accounts for operating systems, processes, and services, you
should always configure them with what two things in mind?
a. using strong passwords
b. using cryptic user names

c. granting the least rights possible


d. using built-in accounts
Answer: a and c
Difficulty: Medium
Section Ref: Creating and Configuring Service Accounts
Explanation: To reduce the risk of using service accounts, you should use a strong
password for the service account and make sure that the password changes often.
Also, give the account the least amount of access (user rights, NTFS permissions,
and share permissions) that it needs to perform its necessary tasks.
14. Name two benefits to using Managed Service Accounts (MSAs).
a. Microsoft technology
b. automatic password management
c. simplified SPN management
d. simplified account troubleshooting
Answer: b and c
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: To simplify administration, MSAs provide automatic password
management and simplified SPN management.
15. By default, which service accounts will the Windows PowerShell cmdlets
manage?
a. standalone MSAs
b. standard local service accounts
c. group MSAs
d. domain user accounts designated as service accounts
Answer: c
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: The Windows PowerShell cmdlets default to managing the group
Managed Service Accounts rather than the original standalone MSAs.
16. Which of the following is the format for a virtual account used with Windows
Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2?
a. domainname\servicename
b. computername\servicename
c. NT Service\servicename
d. NT Service\servicename$
Answer: c

Difficulty: Medium
Section Ref: Configuring Virtual Accounts
Explanation: A virtual account is an account that emulates a Network Service
account that has the name NT Service\servicename. The virtual account has
simplified service administration, including automatic password management, and
simplified SPN management.

Short Answer
17. Kerberos is more secure than NTLM but it is also more __________________.
Answer: Complicated. Kerberos requires additional configuration.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: Although Kerberos is more secure than NTLM, it is also more
complicated than NTLM, which requires additional configuration, such as requiring a
service principal name (SPN) for the domain account.
18. For Kerberos to work properly, which service needs to be accurate and generally
synchronized between systems?
Answer: The Time Service. Systems need to be time synchronized within a certain
amount of lapse.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: For all of this to work and to ensure security, the domain controllers
and clients must have the same time. Windows operating systems include the Time
Service tool (W32Time service). Kerberos authentication will work if the time
interval between the relevant computers is within the maximum enabled time
parameters.
19. Name the two ways that Kerberos authentication improves overall
authentication performance.
Answer: Kerberos uses the current ticket to prove authentication and Kerberos can
also perform double-hop authentication.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: When the client connects to a server or service, Kerberos uses the
current client ticket proving that the client is authenticated. As a result, the service
does not have to perform authentication to a domain controller. Kerberos also can
perform a double-hop authentication. Both of these Kerberos benefits improve
authentication performance.

20. What is meant by the term double-hop authentication?


Answer: Kerberos forwards the authentication ticket from one service to another to
prove authentication.
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: Kerberos can perform a double-hop authentication, which forwards
Kerberos tickets from one service to a supporting service.
21. How do you make double-hop authentication more secure?
Answer: By using constrained delegation, where you specify the services to which a
ticket can be forwarded
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: To secure the double-hop authentication, you can configure Kerberos
constrained delegation. Constrained delegation restricts which services are allowed
to delegate user credentials by specifyingfor each application pool or servicethe
services to which a Kerberos ticket can be forwarded.
22. A service or application that is secured by Kerberos must have an identity in the
domain. What is an identity?
Answer: An identity is a user account or a computer account.
Difficulty: Easy
Section Ref: Managing Service Principal Names
Explanation: A service or application that is secured by Kerberos must have an
identitya user account or computer accountwithin the realm (in this case, the
domain) that the system exists on.

Best Answer
23. What is the default authentication protocol for contemporary domain
computers?
a. NTLM
b. PAP
c. CHAP
d. Kerberos
Answer: d
Difficulty: Easy
Section Ref: Configuring Server Authentication
Explanation: Although Kerberos is the default authentication protocol for todays
domain computers, NTLM is the default authentication protocol for Windows NT,

standalone computers that are not part of a domain, and situations in which you
authenticate to a server using an IP address.
24. What is the name by which a client uniquely identifies an instance of a service?
a. service instance name
b. service account name
c. service provider name
d. service principal name
Answer: d
Difficulty: Medium
Section Ref: Managing Service Principal Names
Explanation: A service principal name (SPN) is the name by which a client uniquely
identifies an instance of a service.
25. Before you can create an MSA object type, you must create what?
a. a key services MSA group
b. a key services MSA distributed domain account
c. a key distribution services root key
d. a key distribution services Master MSA
Answer: c
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: Before you can create an MSA object type, you need to create a key
distribution services root key for the domain.
26. What service right does an MSA account automatically receive upon creation?
a. log on interactively
b. log on as a service
c. domain administrator
d. domain power user
Answer: b
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: On the Log On tab, confirm that the name appears with a dollar sign
($). The account will be given the Log On As Service right.

Build List
27. Order the following steps required to use the SPN with a service.
a. Connect to the domain.

b. Expand Default Naming Context in the console tree, expand the domain, and
then expand the nodes representing the OUs.
c. Open the ADSI Edit console.
d. Add SPN to the service account.
e. Select the OU where the service account exists.
Answer: C A B E D
Difficulty: Easy
Section Ref: Managing Service Principal Names
Explanation: Refer to the steps outlined in the Use the Managed Service Account
with a Service.
28. Order the following steps required to create a service account.
a. Open the Domain node.
b. Open Active Directory Users and Computers.
c. Open the OU where you want to add the user account.
d. Select Password never expires.
e. Create the new user account.
Answer: B A C E D
Difficulty: Easy
Section Ref: Creating and Configuring Service Accounts
Explanation: Refer to the steps shown under Create a Service Account.
29. Order the following steps required to use the MSA with a service.
a. Open the service to show the properties.
b. Select Log On As a Service.
c. Restart the service.
d. Click the Log On tab.
e. Clear the Password and Confirm password text boxes.
f. Open the Service console.
g. Select This account option and enter the name of the service account.
Answer: F A D G E B C
Difficulty: Medium
Section Ref: Creating and Configuring Managed Service Accounts
Explanation: Refer to the steps required in Use the MSA with a Service.

Repeated Answer
30. Which Kerberos setting defines the maximum time skew that can be tolerated
between a tickets timestamp and the current time at the KDC?
a. maximum lifetime for service ticket
b. maximum lifetime for user ticket

c. maximum lifetime for user ticket renewal


d. maximum tolerance for computer clock synchronization
Answer: d
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: The setting for maximum tolerance for computer clock synchronization
defines the maximum time skew that can be tolerated between a tickets timestamp
and the current time at the KDC. Kerberos uses a timestamp to protect against
replay attacks. The default setting is 5 minutes.
31. Which Kerberos setting defines the maximum lifetime ticket for a Kerberos TGT
ticket?
a. maximum lifetime for service ticket
b. maximum lifetime for user ticket
c. maximum lifetime for user ticket renewal
d. maximum tolerance for computer clock synchronization
Answer: b
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: The setting for maximum lifetime for user ticket defines the maximum
lifetime ticket for a Kerberos TGT ticket (user ticket). The default lifetime is 10
hours.
32. Which Kerberos setting defines the maximum lifetime of a Kerberos ticket?
a. maximum lifetime for service ticket
b. maximum lifetime for user ticket
c. maximum lifetime for user ticket renewal
d. maximum tolerance for computer clock synchronization
Answer: a
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: The setting for maximum lifetime for service ticket defines the
maximum lifetime of a service ticket (Kerberos ticket). The default lifetime is 10
hours.
33. Which Kerberos setting defines how long a service or user ticket can be
renewed?
a. maximum lifetime for service ticket
b. maximum lifetime for user ticket
c. maximum lifetime for user ticket renewal
d. maximum tolerance for computer clock synchronization

Answer: c
Difficulty: Medium
Section Ref: Managing Kerberos
Explanation: The setting for maximum lifetime for user ticket renewal defines how
long a service or user ticket can be renewed. By default, it can be renewed up to 7
days.