Microsoft 70-411 Exam – Q96

Your network contains an Active Directory domain named All domain controllers run Windows Server 2008 R2. The domain contains three servers that run Windows Server 2012 R2. The servers are configured as shown in the following table.

Server1 and Server2 are configured in a Network Load Balancing (NLB) cluster. The NLB cluster hosts a website named Web1 that uses an application pool named App1. Web1 uses a database named DB1 as its data store.

You create an account named User1. You configure User1, as the identity of App1. You need to ensure that domain users accessing Web1 connect to DB1 by using their own credentials.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Configure the delegation settings of Server3.
B. Create a Service Principal Name (SPN) for User1.
C. Configure the delegation settings of User1.
D. Create a matching Service Principal Name (SPN) for Server1 and Server2.
E. Configure the delegation settings of Server1 and Server2.

Correct Answer: B, E


Service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.

The identity of an application pool is the name of the service account under which the application pool’s worker process runs. By default, application pools operate under the Network Service user account, which has low-level user rights.

You can also configure a custom account to serve as an application pool’s identity. Any custom account you choose should have only the minimum rights that your application requires. A custom account is useful in the following situations:

• When you want to improve security and make it easier to trace security events to the corresponding application.

• When you are hosting Web sites for multiple customers on a single Web server. If you use the same process account for multiple customers, source code from one customer’s application may be able to access source code from another customer’s application. In this case, you should also configure a custom account for the anonymous user account.

• When an application requires rights or permissions in addition to the default permissions for an application pool. In this case, you can create an application pool and assign a custom identity to the new application pool.