Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012. The domain contains two servers. The
servers are configured as shown in the following table.
Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an application pool named WebApp1. WebApp1 uses a group Managed
Service Account named gMSA1 as its identity. Domain users connect to Web1 by using either the name webl.contoso.com or the alias myweb.contoso.com. You
discover the following:
* When the users access Web1 by using webl.contoso.com, they authenticate by using Kerberos.
* When the users access Web1 by using myweb.contoso.com, they authenticate by using NTLM.
You need to ensure that the users can authenticate by using Kerberos when they connect by using myweb.contoso.com. What should you do?
A.
Modify the properties of the WebApp1 application pool.
B.
Run the Add-ADComputerServiceAccount cmdlet.
C.
Modify the properties of the Web1 website.
D.
Modify the properties of the gMSA1 service account.
My thinking is the GMSA was not added to both servers, so need to run the Add-ADComputerServiceAccount to add to both servers?
I believe D is the correct answer.
The SPNs can be set on the MSA properties.
https://technet.microsoft.com/en-us/library/jj128431(v=ws.11).aspx
When a client computer connects to a service which is hosted on a server farm using network load balancing (NLB) or some other method where all the servers appear to be the same service to the client, then authentication protocols supporting mutual authentication such as Kerberos cannot be used unless all the instances of the services use the same principal. This means that each service has to use the same passwords/keys to prove their identity.