70-742 Identity with Windows Server 2016 LAB 4 CONFIGURING SERVICE AUTHENTICATION AND ACCOUNT POLICIES THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES: Exercise 4.1 Configuring Kerberos Policy Settings Exercise 4.2 Creating a Service Account Exercise 4.3 Creating a Managed Service Account Exercise 4.4 Configuring Kerberos and Kerberos Delegation Lab Challenge Configuring a Domain Password and Lockout Policy BEFORE YOU BEGIN The lab environment consists of student workstations connected to a local area network, along with a server that functions as the domain controller for a domain called adatum.com. The computers required for this lab are listed in Table 4-1. Table 4-1 Computers required for Lab 4 Computer Operating System Computer Name Server (VM 1) Windows Server 2016 LON-DC1 Server (VM 2) Windows Server 2016 LON-SVR1 In addition to the computers, you will also require the software listed in Table 4-2 to complete Lab 4. Table 4-2 Software required for Lab 4 Software Location Lab 4 student worksheet Lab04_worksheet.docx (provided by instructor) Working with Lab Worksheets Each lab in this manual requires that you answer questions, shoot screen shots, and perform other activities that you will document in a worksheet named for the lab, such as Lab04_worksheet.docx. You will find these worksheets on the book companion site. It is recommended that you use a USB flash drive to store your worksheets, so you can submit them to your instructor for review. As you perform the exercises in each lab, open the appropriate worksheet file using Word, fill in the required information, and then save the file to your flash drive. SCENARIO After completing this lab, you will be able to: Configure Kerberos policy settings Create a service account Create a managed service account Configure Kerberos and Kerberos Delegation Configure a domain password and lockout policy Estimated lab time: 75 minutes Exercise 4.1 Configuring Kerberos Policy Settings Overview In this exercise, you will configure Kerberos Policy settings using the default domain policy. Mindset Kerberos is the default authentication mechanism in an Active Directory Domain services (AD DS) environment and plays a critical role in authorization and auditing. Because Kerberos is used as part of the Active Directory domain, Kerberos settings can be configured only at the domain level with a GPO. Completion time 10 minutes 1. Log on to LON-DC1 as adatum\administrator with the password of Pa$$w0rd. 2. On LON-DC1, in Server Manager, click Tools > Group Policy Management. 3. In the Group Policy Management console, expand Forest: Adatum.com, Domains, and then the Adatum.com node. Click Default Domain Policy, and in the Group Policy Management Console dialog box, click OK to close an information box. The Group Policy Management Console displays (see Figure 4-1). Figure 4-1 The Group Policy Management Console 4. Right-click Default Domain Policy and choose Edit. The Group Policy Management Editor opens, as shown in Figure 4-2. Figure 4-2 The Group Policy Management Editor 5. In the left pane, expand the Computer Configuration node, expand the Policies node, and then expand the Windows Settings node. Expand the Security Settings node, expand Account Policies, and then select Kerberos Policy. Question 1 What is the maximum tolerance for computer clock synchronization? 6. Double-click Maximum tolerance for computer clock synchronization. 7. In the Maximum tolerance for computer clock synchronization dialog box, change the maximum tolerance to 4 minutes. Click OK. 8. Double-click Maximum lifetime for user ticket. 9. In the Maximum lifetime for user ticket Properties dialog box, change the time to 8 hours. Click OK. 10. In the Suggested Value Changes dialog box, click OK. 11. Take a screen shot of Group Policy Management Editor by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] 12. Close Group Policy Management Editor. Remain logged on to LON-DC1 for the next exercise. Exercise 4.2 Creating a Service Account Overview In this exercise, you will create a traditional service account and then use the account with a service. Mindset A service account is an account under which an operating system, process, or service runs. A service account can allow the application or service specific rights and permissions to function properly while minimizing the permissions required for the users using the application server. Service accounts are used to run Microsoft Exchange, Microsoft SQL Server, Internet Information Services (IIS), and SharePoint. Completion time 15 minutes 1. On LON-DC1, in Server Manager, click Tools > Active Directory Users and Computers. 2. In the console tree, expand the adatum.com node, if needed. 3. Right-click Adatum.com and choose New > Organizational Unit. The New Object Organizational Unit dialog box opens. 4. In the Name text box, type Service Accounts and then click OK. 5. Right-click the Service Accounts organizational unit and choose New > User. The New Object User Wizard starts. 6. In the First name text box, type App1. In the Last name text box, type Service. In the User logon name text box, type App1Service. Click Next. The password options appear. 7. In the Password text box and the Confirm password text box, type Pa$$w0rd. Select the Password never expires option. When a message displays, indicating that the password should never expire and that the user will not be required to change the password at next logon, click OK. 8. Click Next. 9. Click Finish to complete creating a service account. 10. Take a screen shot of the Active Directory Users and Computers showing the Service Accounts OU by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] 11. Log on to LON-SVR1 as adatum\administrator with the password of Pa$$w0rd. 12. In Server Manager, click Tools > Services. The Services console opens, as shown in Figure 4-3. Figure 4-3 The Services console 13. Scroll down and double-click the SNMP Trap service. The SNMP Trap Properties dialog box opens. 14. Click the Log On tab. 15. Select This account and then, in the text box, type adatum\app1service. 16. In the Password text box and the Confirm password text box, type Pa$$w0rd. 17. Click OK. 18. When a message indicates that the account has been granted the Log On As Service, click OK. Question 2 What must be done in order for the service to use the specified service account? 19. Right-click the SNMP Trap service and choose Start. 20. Take a screen shot of the Services console by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] Close the services console. Exercise 4.3 Creating a Managed Service Account Overview In this exercise, you will create and deploy a Managed Service Account (MSA). Mindset Rather than manually changing the account password and the password for the service or application, you can use a MSA (in which the password automatically changes on a regular basis). Completion time 25 minutes 1. On LON-DC1, in Active Directory Users and Computers, right-click the Computers container and choose New > Group. For the Group name, type ServerGroup. 2. Answer the following question and then click OK. Question 3 Which group scope and group type was selected? 3. In the Computers container, right-click ServerGroup and choose Properties. 4. In the Properties dialog box, click the Members tab and then click Add. 5. Click Object Types, select Computers, and then click OK. 6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, type LON-SVR1. 7. Click OK to close the ServerGroup Properties dialog box. 8. On LON-DC1, in Server Manager, click Tools > Active Directory Module for Windows PowerShell. The Active Directory Module for Windows Powershell opens. 9. To create a key distribution services root key for the domain, execute the following command in PowerShell: Take Note There is not space after AddHours. Add-KDSRootKey EffectiveTime ((Get-Date).AddHours(-10)) 10. Take a screen shot of the Active Directory Module for Windows PowerShell window by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] 11. To create an Active Directory AD service account, execute the following command: New-ADServiceAccount Name App2Service DNSHostname LON-DC1.adatum.com PrincipalsAllowedToRetrieveManagedPassword ServerGroup 12. In Active Directory Users and Computers, under Adatum.com, click the Managed Service Account OU and then take a screen shot of the new service account by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] 13. To associate an MSA to a computer account, in the Administrator: Active Directory Module for Windows PowerShell window, execute the following command: Add-ADComputerServiceAccount identity LON-SVR1 -ServiceAccount App2Service 14. In Server Manager, click Manage > Add Roles and Features. 15. In the Add Roles and Features Wizard, click Next. 16. On the Installation Type page, click Next. 17. On the Server Select page, click Next. 18. Click Active Directory Domain Services. If you are prompted to confirm that you want to add features, click Add Features. Then click Next. 19. On the Select features page, click Next. 20. On the AD DS page, click Next. 21. On the Confirmation page, click Install. 22. When the installation is complete, click Close. 23. On LON-SVR1, in Server Manager, click Tools > Active Directory Module for Windows PowerShell. 24. In Windows PowerShell, execute the following command to add the computer account to LON-SVR1: Add-ADComputerserviceaccount Identity LON-SVR1 ServiceAccount App2Service 25. On LON-SVR1, in Server Manager, click Tools > Services. The Services console opens. 26. Double-click the SNMP Trap service. The SNMP Trap Properties dialog box opens. 27. Click the Log On tab. 28. Select This account and then type adatum\app2service$. Question 4 Why is $ used? 29. Clear the password in the Password text box and the Confirm password text box. 30. Click OK. 31. When a message indicates that the account has been granted the Log On As A Service, click OK. Click OK to close the not take effect dialog box. 32. Take a screen shot of the Services console showing the SNMP Trap service by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] Close all Windows, but remain logged on to LON-DC1 and LON-SVR1. Exercise 4.4 Configuring Kerberos and Kerberos Delegation Overview In this exercise, you will create a Service Principal Name (SPN) for an account and then configure Kerberos Delegation. Mindset An SPN is the name by which a client uniquely identifies an instance of a service. The client locates the service based on the SPN, which consists of three components: 1. The service class, such as HTTP (which includes both the HTTP and HTTPS protocols) or SQLService. 2. The host name. 3. The port (if port 80 is not being used). Completion time 10 minutes 1. On LON-DC1, in Server Manager, click Tools > ADSI Edit. The ADSI Edit console opens. 2. Right-click ADSI Edit in the console tree and choose Connect To. In the Connection Settings dialog box (see Figure 4-4), click OK. Figure 4-4 Viewing the connection settings 3. Double-click Default Naming Context in the console tree, expand DC=Adatum,DC=com, and then double-click OU=Service Accounts. 4. In the Details pane, right-click the App1 Service and choose Properties. The CN=App1 Service Properties dialog box opens, as shown in Figure 4-5. Figure 4-5 Editing the properties of a user 5. In the Attribute list, double-click servicePrincipalName to display the Multi-valued String Editor dialog box, as shown in Figure 4-6. Figure 4-6 Modifying the servicePrincipalName 6. In the Value to add field, type http/portal.adatum.com:443 and then click Add. 7. Take a screen shot of the ADSI Edit window showing the Multi-valued String Editor dialog box by pressing Alt+PrtScr and then paste it into your Lab04_worksheet file in the page provided by pressing Ctrl+V. [copy screen shot over this text] 8. Click OK twice. 9. In Active Directory Users and Computers, navigate to and click the Service Accounts organizational unit. 10. Right-click App1 Service and choose Properties. The Properties dialog box opens. 11. Click the Delegation tab. Question 5 What is delegation used for? 12. To allow this account to be delegated for a service, click the Trust this user for delegation to any service (Kerberos only) option. 13. Click OK to close the Properties dialog box. Close any open windows. Lab Challenge Configuring a Domain Password and Lockout Policy Overview In this lab challenge, you will define a domain-level password policy, including configuring maximum password length and password history. Mindset You can define account policies only for domain users at the domain level, which include the password policy, the account lockout policy, and the Kerberos policy. Because most organizations have only one domain, you can set only one account policy. Completion time 10 minutes 1. On LON-DC1, In Server Manager, click Tools > Group Policy Management. The Group Policy Management console opens. 2. Navigate to and click Default Domain Policy. In the Group Policy Management Console dialog box, click OK. 3. Right-click the Defau