70-742 Identity with Windows Server 2016

LAB 4
CONFIGURING SERVICE
AUTHENTICATION AND
ACCOUNT POLICIES

THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:

Exercise 4.1 Configuring Kerberos Policy Settings

Exercise 4.2 Creating a Service Account

Exercise 4.3 Creating a Managed Service Account

Exercise 4.4 Configuring Kerberos and Kerberos Delegation

Lab Challenge Configuring a Domain Password and Lockout Policy

BEFORE YOU BEGIN

The lab environment consists of student workstations connected to a local area

network, along with a server that functions as the domain controller for a domain
called adatum.com. The computers required for this lab are listed in Table 4-1.
70-742 Identity with Windows Server 2016

Table 4-1
Computers required for Lab 4
Computer Operating System Computer Name
Server (VM 1) Windows Server 2016 LON-DC1
Server (VM 2) Windows Server 2016 LON-SVR1

In addition to the computers, you will also require the software listed in Table 4-2 to
complete Lab 4.

Table 4-2
Software required for Lab 4
Software Location
Lab 4 student worksheet Lab04_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, shoot screen shots, and
perform other activities that you will document in a worksheet named for the lab, such
as Lab04_worksheet.docx. You will find these worksheets on the book companion
site. It is recommended that you use a USB flash drive to store your worksheets, so
you can submit them to your instructor for review. As you perform the exercises in
each lab, open the appropriate worksheet file using Word, fill in the required
information, and then save the file to your flash drive.

SCENARIO

After completing this lab, you will be able to:

 Configure Kerberos policy settings

 Create a service account

 Create a managed service account

 Configure Kerberos and Kerberos Delegation

 Configure a domain password and lockout policy

Estimated lab time: 75 minutes

70-742 Identity with Windows Server 2016

Exercise 4.1 Configuring Kerberos Policy Settings

Overview In this exercise, you will configure Kerberos Policy settings using
the default domain policy.
Mindset Kerberos is the default authentication mechanism in an Active Directory
Domain services (AD DS) environment and plays a critical role in
authorization and auditing. Because Kerberos is used as part of the
Active Directory domain, Kerberos settings can be configured only at
the domain level with a GPO.
Completion time 10 minutes

1. Log on to LON-DC1 as adatum\administrator with the password of Pa$$w0rd.

2. On LON-DC1, in Server Manager, click Tools > Group Policy Management.

3. In the Group Policy Management console, expand Forest: Adatum.com, Domains, and
then the Adatum.com node. Click Default Domain Policy, and in the Group Policy
Management Console dialog box, click OK to close an information box. The Group
Policy Management Console displays (see Figure 4-1).

Figure 4-1
70-742 Identity with Windows Server 2016

The Group Policy Management Console

4. Right-click Default Domain Policy and choose Edit. The Group Policy Management
Editor opens, as shown in Figure 4-2.

Figure 4-2
The Group Policy Management Editor

5. In the left pane, expand the Computer Configuration node, expand the Policies node,
and then expand the Windows Settings node. Expand the Security Settings node,
expand Account Policies, and then select Kerberos Policy.

What is the maximum tolerance for computer clock

Question synchronization?
1
5 minutes

6. Double-click Maximum tolerance for computer clock synchronization.

7. In the Maximum tolerance for computer clock synchronization dialog box, change the
maximum tolerance to 4 minutes. Click OK.
70-742 Identity with Windows Server 2016

8. Double-click Maximum lifetime for user ticket.

9. In the Maximum lifetime for user ticket Properties dialog box, change the time to 8
hours. Click OK.

10. In the Suggested Value Changes dialog box, click OK.

11. Take a screen shot of Group Policy Management Editor by pressing Alt+PrtScr and
then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V.

12. Close Group Policy Management Editor.

Remain logged on to LON-DC1 for the next exercise.

Exercise 4.2 Creating a Service Account

Overview In this exercise, you will create a traditional service account and then
use the account with a service.
Mindset A service account is an account under which an operating system,
process, or service runs. A service account can allow the application
or service specific rights and permissions to function properly while
minimizing the permissions required for the users using the
application server. Service accounts are used to run Microsoft
Exchange, Microsoft SQL Server, Internet Information Services
(IIS), and SharePoint.
Completion time 15 minutes

1. On LON-DC1, in Server Manager, click Tools > Active Directory Users and
Computers.

2. In the console tree, expand the adatum.com node, if needed.

3. Right-click Adatum.com and choose New > Organizational Unit. The New Object –
Organizational Unit dialog box opens.

4. In the Name text box, type Service Accounts and then click OK.

5. Right-click the Service Accounts organizational unit and choose New > User. The New
Object – User Wizard starts.
70-742 Identity with Windows Server 2016

6. In the First name text box, type App1. In the Last name text box, type Service. In the
User logon name text box, type App1Service. Click Next. The password options appear.

7. In the Password text box and the Confirm password text box, type Pa$$w0rd. Select the
Password never expires option. When a message displays, indicating that the password
should never expire and that the user will not be required to change the password at next
logon, click OK.

8. Click Next.

9. Click Finish to complete creating a service account.

10. Take a screen shot of the Active Directory Users and Computers showing the Service
Accounts OU by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file
in the page provided by pressing Ctrl+V.

11. Log on to LON-SVR1 as adatum\administrator with the password of Pa$$w0rd.

12. In Server Manager, click Tools > Services. The Services console opens, as shown in
Figure 4-3.
70-742 Identity with Windows Server 2016

Figure 4-3
The Services console

13. Scroll down and double-click the SNMP Trap service. The SNMP Trap Properties
dialog box opens.

14. Click the Log On tab.

15. Select This account and then, in the text box, type adatum\app1service.

16. In the Password text box and the Confirm password text box, type Pa$$w0rd.

17. Click OK.

18. When a message indicates that the account has been granted the Log On As Service,
click OK.

What must be done in order for the service to use the

Question specified service account?
2
You have to select it from accounts
70-742 Identity with Windows Server 2016

19. Right-click the SNMP Trap service and choose Start.

20. Take a screen shot of the Services console by pressing Alt+PrtScr and then paste it into
your Lab04_worksheet file in the page provided by pressing Ctrl+V.

Close the services console.

Exercise 4.3 Creating a Managed Service Account
Overview In this exercise, you will create and deploy a Managed Service
Account (MSA).
Mindset Rather than manually changing the account password and the
password for the service or application, you can use a MSA (in which
the password automatically changes on a regular basis).
Completion time 25 minutes

1. On LON-DC1, in Active Directory Users and Computers, right-click the Computers

container and choose New > Group. For the Group name, type ServerGroup.

2. Answer the following question and then click OK.

Which group scope and group type was selected?

Question
3
Global and security

3. In the Computers container, right-click ServerGroup and choose Properties.

4. In the Properties dialog box, click the Members tab and then click Add.

5. Click Object Types, select Computers, and then click OK.

6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in
the Enter the object names to select text box, type LON-SVR1.

7. Click OK to close the ServerGroup Properties dialog box.

8. On LON-DC1, in Server Manager, click Tools > Active Directory Module for
Windows PowerShell. The Active Directory Module for Windows Powershell opens.
70-742 Identity with Windows Server 2016

9. To create a key distribution services root key for the domain, execute the following
command in PowerShell:

Take Note
There is not space after AddHours.
Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-
10))
10. Take a screen shot of the Active Directory Module for Windows PowerShell window by
pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page
provided by pressing Ctrl+V.

11. To create an Active Directory AD service account, execute the following

command:

New-ADServiceAccount –Name App2Service –DNSHostname

LON-DC1.adatum.com
–PrincipalsAllowedToRetrieveManagedPassword
ServerGroup

12. In Active Directory Users and Computers, under Adatum.com, click the Managed
Service Account OU and then take a screen shot of the new service account by pressing
Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by
pressing Ctrl+V.

13. To associate an MSA to a computer account, in the Administrator: Active Directory

Module for Windows PowerShell window, execute the following command:

Add-ADComputerServiceAccount –identity LON-SVR1

-ServiceAccount App2Service

14. In Server Manager, click Manage > Add Roles and Features.
70-742 Identity with Windows Server 2016

15. In the Add Roles and Features Wizard, click Next.

16. On the Installation Type page, click Next.

17. On the Server Select page, click Next.

18. Click Active Directory Domain Services. If you are prompted to confirm that you want
to add features, click Add Features. Then click Next.

19. On the Select features page, click Next.

20. On the AD DS page, click Next.

21. On the Confirmation page, click Install.

22. When the installation is complete, click Close.

23. On LON-SVR1, in Server Manager, click Tools > Active Directory Module for
Windows PowerShell.

24. In Windows PowerShell, execute the following command to add the computer account
to LON-SVR1:

Add-ADComputerserviceaccount –Identity LON-SVR1

–ServiceAccount App2Service

25. On LON-SVR1, in Server Manager, click Tools > Services. The Services console
opens.

26. Double-click the SNMP Trap service. The SNMP Trap Properties dialog box opens.

27. Click the Log On tab.

28. Select This account and then type adatum\app2service$.

Why is $ used?
Question
4
Because it is a vitural local account

29. Clear the password in the Password text box and the Confirm password text box.

30. Click OK.

31. When a message indicates that the account has been granted the Log On As A Service,
click OK. Click OK to close the ‘not take effect’ dialog box.

32. Take a screen shot of the Services console showing the SNMP Trap service by pressing
Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by
pressing Ctrl+V.
70-742 Identity with Windows Server 2016

Close all Windows, but remain logged on to LON-DC1 and LON-SVR1.

Exercise 4.4 Configuring Kerberos and Kerberos Delegation

Overview In this exercise, you will create a Service Principal Name (SPN)
for an account and then configure Kerberos Delegation.

Mindset An SPN is the name by which a client uniquely identifies an instance

of a service. The client locates the service based on the SPN, which
consists of three components:
1. The service class, such as HTTP (which includes both the HTTP
and HTTPS protocols) or SQLService.
2. The host name.
3. The port (if port 80 is not being used).
Completion time 10 minutes

1. On LON-DC1, in Server Manager, click Tools > ADSI Edit. The ADSI Edit
console opens.

2. Right-click ADSI Edit in the console tree and choose Connect To. In the
Connection Settings dialog box (see Figure 4-4), click OK.
70-742 Identity with Windows Server 2016

Figure 4-4
Viewing the connection settings

3. Double-click Default Naming Context in the console tree, expand

DC=Adatum,DC=com, and then double-click OU=Service Accounts.

4. In the Details pane, right-click the App1 Service and choose Properties. The
CN=App1 Service Properties dialog box opens, as shown in Figure 4-5.
70-742 Identity with Windows Server 2016

Figure 4-5
Editing the properties of a user

5. In the Attribute list, double-click servicePrincipalName to display the Multi-valued

String Editor dialog box, as shown in Figure 4-6.
70-742 Identity with Windows Server 2016

Figure 4-6
Modifying the servicePrincipalName

6. In the Value to add field, type http/portal.adatum.com:443 and then click Add.

7. Take a screen shot of the ADSI Edit window showing the Multi-valued String Editor
dialog box by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file
in the page provided by pressing Ctrl+V.

8. Click OK twice.

9. In Active Directory Users and Computers, navigate to and click the Service
Accounts organizational unit.

10. Right-click App1 Service and choose Properties. The Properties dialog box opens.

11. Click the Delegation tab.

70-742 Identity with Windows Server 2016

What is delegation used for?

Question
5 It delegrates permissions of another user and lets the service
run as that user.

12. To allow this account to be delegated for a service, click the Trust this user for
delegation to any service (Kerberos only) option.

13. Click OK to close the Properties dialog box.

Close any open windows.

Configuring a Domain Password and Lockout

Lab Challenge Policy
Overview In this lab challenge, you will define a domain-level password
policy, including configuring maximum password length and
password history.
Mindset You can define account policies only for domain users at the domain
level, which include the password policy, the account lockout policy,
and the Kerberos policy. Because most organizations have only one
domain, you can set only one account policy.
Completion time 10 minutes

1. On LON-DC1, In Server Manager, click Tools > Group Policy Management. The
Group Policy Management console opens.

2. Navigate to and click Default Domain Policy. In the Group Policy Management
Console dialog box, click OK.

3. Right-click the Default Domain Policy and choose Edit.

4. The Group Policy Management Editor opens (as shown in Figure 4-7).
70-742 Identity with Windows Server 2016

Figure 4-7
The Default Domain Policy

5. In the left window pane, expand the Computer Configuration node, expand the
Policies node, expand the Windows Settings folder, and then expand the Security
Settings node. In the Security Settings node, expand Account Policies and select
Password Policy.

What is the maximum password age?

Question
6
42 Days

What is the minimum password length?

Question
7
7 Characters

Question How does enforce password history and minimum password

8 age work together to keep a network environment secure?

It makes sure that your password is long enough for security

70-742 Identity with Windows Server 2016

and ensures that you change your password on a regular

basis and froces you to do that.

6. Double-click Minimum password length. In the Minimum password length Properties

dialog box, change the value from 7 to 8 characters. Click OK to close the Minimum
password length Properties dialog box.

7. Double-click Password must meet complexity requirements.

8. In the Password must meet complexity requirements Properties dialog box, click the
Explain tab.

What are the requirements for a complex password?

Question
9

9. Close the Password must meet complexity requirements Properties dialog box by
clicking OK.

10. Take a screen shot of the Group Policy Management Editor window by pressing
Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by
pressing Ctrl+V.

11. On LON-DC1, using Default Domain Policy Group Policy Management Editor console,
under Account Policies, click Account Lockout Policy.

How are the account lockout settings currently set?

Question
10
1 are currently set the other 2 are not defined
70-742 Identity with Windows Server 2016

12. Double-click Account lockout duration. In the Account lockout duration Properties
dialog box, click to enable the Define this policy setting.

What is the default value for the Account lockout duration?

Question
11
Its not defined

13. Click OK to close the Account lockout duration Properties dialog box. In the Suggested
Value Changes dialog box, answer the following question and then click OK.

How many invalid logon attempts can be made that will

Question cause an account to be locked?
12
The setting is not enabled so 0

14. Take a screen shot of the Account Lockout Policy window by pressing Alt+PrtScr and
then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V.

15. Close the Group Policy Management Editor window for the Default Domain Policy.

16. Close the Group Policy Management console.

End of lab.