Plan Requirements for AD Federation Services – Lesson 5.1

References

 

Mock Exam Samples

Office 365 is a cloud based service used by small to large organizations. Security is important and Office 365 provides multi-factor authentication for logon accounts to provide extra security when users login to the system. What is considered a second factor of authentication? Choose the best option(s) from those listed below.

A: Notification by app

B: Cell phone call asking to press the pound (#) sign

C: Office phone call asking to enter a 6-digit code

D: Text code received on a mobile phone

 

Explanation: When a user enrolls for multi-form factor authentication in Office 365, they are required to select their second factor of authentication the next time they sign in to Office 365. There are different options they can choose from, including receiving a call on their cell phone or office phone. This prompts them to press the pound key, which then logs them on the system. They may receive a text code on their cell phone that they can use on the portal to log in. In addition, they can also install an app on their mobile phone and receive either a notification or code to allow them to login.

Correct Option(s):

  • A: Notification by app
  • B: Cell phone call asking to press the pound (#) sign
  • D: Text code received on a mobile phone

Incorrect Option(s):

C: Office phone call asking to enter a 6-digit code – When users choose to receive a call to their office phone, they are required to hit the pound key to be logged in to the system. Users are not asked to enter a 6-digit code.

The AD FS service is going to be configured with the name ADFS.tailspintoys.com. Which of the following names must be present in the Service Communications Certificate’s list of Subject Alternative Names? (Choose two.)

A. Enterpriseregistration.tailspintoys.com

B. Singlesignon.tailspintoys.com

C. Office365.tailspintoys.com

D. Adfs.tailspintoys.com

Correct answer: D & A

A. Correct: The Service Communications Certificate’s Subject Alternative Name must contain the value enterpriseregistration and the UPN suffix of the organization.

B. Incorrect: The Service Communications Certificate’s Subject Alternative Name does not need to contain the name Singlesignon.

C. Incorrect: Service Communications Certificate’s Subject Alternative Name does not need to contain the name Office365.

D. Correct: The Service Communications Certificate’s Subject Alternative Name must include the federation service name.

The AD FS service is going to be configured with the name ADFS.tailspintoys.com. Which of the following IP addresses must this name be resolvable to for hosts on the Internet?

A. The IP address of the organization’s DNS server.

B. The IP address of the AD FS server.

C. The public IP address of the Web Application Proxy server.

D. The IP address of the Office 365 server.

Correct Answer: C

C. Correct: The name of the AD FS service must resolve to the public IP address of the Web Application Proxy server.

There will be three servers in the AD FS farm at Tailspin Toys. The primary AD FS server will have the name adfs1.tailspintoys.com. The second server in the farm will have the name adfs2.tailspintoys.com. The third server in the farm will have the name adfs3.tailspintoys.com. The Web Application Proxy server will have the name wap1.tailspintoys.com. The AD FS service will have the name adfssvc.tailspintoys.com. What should the Service Communication Certificate’s Subject Name be?

A. Adfs2.tailspintoys.com

B. Wap1.tailspintoys.com

C. Adfs1.tailspintoys.com

D. Adfssvc.tailspintoys.com

Correct answer: D

D. Correct: The subject name of the Service Communications Certificate should be the AD FS service name which is Adfssvc.tailspintoys.com. Service Communication Certificate must be requested on the computer server that will host AD FS role.

Which computer account certificate store should the Service Communications Certificate be located in for a computer that will function as an AD FS server?

A. Enterprise Trust

B. Personal

C. Trusted Publishers

D. Trusted Root Certification Authorities

Correct answer: B

B. Correct: The Service Communications Certificate must be located in the Personal certificate store of a computer that will function as an AD FS server.

To improve security, Azure Multi-Factor Authentication can be used with Active Directory Federation Services (ADFS) authentication to add a second factor authentication. The IIS Authentication section of Azure Multi-Factor Authentication Server allows you to configure IIS authentication to work with Microsoft IIS web applications such as ADFS 2.0. A plug-in is installed by Azure Multi-Factor Authentication Server and is able to filter requests that are made to the IIS web server and add the Azure Multi-Factor Authentication. You need to exclude internal IP addresses from using multi-factor authentication. What should you do? Choose the best option(s) from those listed below.

A: The Azure Multi-Factor Authentication Server should be installed on the ADFS proxy server.

B: Configure an IP Whitelist.

C: Nothing, the Internal IP addresses will be excluded automatically.

D: The Azure Multi-Factor Authentication Server should be installed on the ADFS server.

 

Explanation: ADFS can provide web Single Sign-On technology for authentication. When ADFS is secured with Azure Multi-Factor Authentication, it adds a second factor of authentication. In some instances, a company may want to exclude their internal IP addresses from using multi-factor authentication. To accomplish this, an IP whitelist should be configured. When a whitelist is configured, users will bypass the Azure Multi-Factor Authentication if they login in from a specific IP address or subnet.

Correct Option(s): B: Configure an IP Whitelist.

Incorrect Option(s):

  • A: The Azure Multi-Factor Authentication Server should be installed on the ADFS proxy server. – Azure Multi-factor Authentication Server is installed on the ADFS proxy server when you need to secure ADFS for use with a proxy server. This will not exclude internal IP addresses from using multi-factor authentication.
  • C: Nothing, the Internal IP addresses will be excluded automatically. – Internal IP addresses will not be excluded automatically. An IP whitelist needs to be configured to exclude the internal IP addresses from multi-factor authentication.
  • D: The Azure Multi-Factor Authentication Server should be installed on the ADFS server. – Azure Multi-Factor Authentication Server is installed on the ADFS server when you need to secure ADFS and ADFS proxy is not being used. This will not exclude internal IP addresses from using multi-factor authentication.

Active Directory Federation Services (ADFS) can provide web Single Sign-On. Typically, ADFS will validate a user’s identity when they try to access a cloud-based service like Office 365. What can be used to enhance security for the ADFS authentication process? Choose the best option(s) from those listed below.

A: Azure Multi-Factor Authentication

B: IP Whitelist

C: Digital certificate

D: Azure Active Directory

 

Explanation: Azure Multi-Factor Authentication can be used to provide better security to the ADFS authentication process. It adds a second factor of authentication. Azure Multi-Factor Authentication will require a user to verify their sign-ins by using another form of authentication such as a mobile app, phone call, or text message.

Correct Option(s): A: Azure Multi-Factor Authentication

Incorrect Option(s):

  • B: IP Whitelist – An IP whitelist is used to exclude IP addresses or subnets from multi-factor authentication. It is not used to enhance security for the ADFS authentication process.
  • C: Digital certificate – A digital certificate is typically used to verify the identity of users. Digital certificates are commonly used with e-mail message to verify that the person sending the message is who they say they are. Digital certificates are not used to enhance security for the ADFS authentication process.
  • D: Azure Active Directory – Azure Active Directory (AD) provides cloud identify and access management functions. Azure AD uses passwords to authenticate users when signing in. It is not used to enhance security for the ADFS authentication process.

When configuring Active Directory Federation Services (AD FS), you can configure it as a stand-alone server or to be part of a server farm. The option you decide to go with will depend on the requirements you have. Which statements relate to a stand-alone server configuration? Choose the best option(s) from those listed below.

A: Used for high availability and load balancing

B: Used for a testing environment

C: Used for large production environments

D: Used for small production environments

Explanation:
You can configure AD FS as a stand-alone server. The stand-alone server option is commonly used if you want to use AD FS in a testing environment, for example to evaluate the product. It is also typically used for small production environments where high availability and load balancing are not a concern. The stand-alone configuration has a limit of containing only one federation server.

Correct Option(s):

  • B: Used for a testing environment  
  • D: Used for small production environments  

Incorrect Option(s):

  • A: Used for high availability and load balancing – Configuring AD FS as a stand-alone server would not be used to provide high availability and load balancing. High availability and load balancing would be offered when you configure AD FS with the server farm configuration option.  
  • C: Used for large production environments – The stand-alone server option would not be used for large environments. For large production environments, AD FS with the server farm configuration option would be configured.  

Deploying a federation server farm involves completing several tasks. Once the first federation server is configured in the new federation server farm, additional federation servers can be added to the existing federation server farm. Before you can add a federation server to an existing federation server farm, what is required? Choose the best option(s) from those listed below.

A: Install the AD FS role service

B: Configure a Web Application Proxy

C: Obtain a valid SSL server authentication certificate

D: Configure a federation server with Device Registration Service (DRS)

Explanation:
When adding an additional federation server to an existing federation server farm there are two important elements that should already be configured. They are the AD FS role service and a valid Secure Socket Layer (SSL) authentication certificate. The AD FS role service is configured on a computer and is part of the process to configure and add the first federation server in the federation server farm. A valid SSL authentication certificate is also required prior to adding a federation server to an existing federation server farm. The SSL certificate is required by AD FS and should exist on each federation server in the federation server farm.

Correct Option(s):

  • A: Install the AD FS role service  
  • C: Obtain a valid SSL server authentication certificate

 

Incorrect Option(s):

  • B: Configure a Web Application Proxy – Configure a Web Application Proxy when you want to allow users that are located outside the organization to access applications that are running on servers located inside the organization. Web Application Proxy is not required when adding a federated server to an existing federation server farm.  
  • D: Configure a federation server with Device Registration Service (DRS) – Configuring a federation server with DRS is an optional step that can be completed when you deploy a federation server farm. DRS is configured when you want seamless second factor authentication, persistent single sign-on (SSO), and provide conditional access to users that need to access company resources. It is not an element that is required when adding a federated server to an existing federation server farm.  

Web Application Proxies are deployed with Active Directory Federation Services (AD FS) to allow users that are located outside the organization to access applications that are running on servers located inside the organization. When a Web Application Proxy is configured, certificates are used to secure communication between federation servers. Which certificate type will the federation server proxies require? Choose the best option(s) from those listed below.

A: Token-signing

B: SSL

C: Digital

D: Code signing certificate

Explanation:
When a Web Application Proxy is configured, a Secure Socket Layer (SSL) certificate is required. The SSL certificate is used to secure the communication between the federation server, the Web Application Proxy, and the Internet client computers.

Correct Option(s): B: SSL  

 

Incorrect Option(s):

  • A: Token-signing – A token-signing certificate is used to securely sign the tokens that the federation server issues. It also securely signs the tokens that the cloud service accepts and validates. A token-signing certificate is not required by the federation server proxies.  
  • C: Digital – A digital certificate is typically used to verify the identity of users. Digital certificates are commonly used with e-mail messages to verify that the person sending the message is who they say they are. A digital certificate is not required by the federation server proxies.  
  • D: Code signing certificate – A code signing certificate is used to digitally sign executables or scripts. A code signing certificate is not required by the federation server proxies.  

You are the admin of O465. You will configure SSO to make it easier for users to sign in to O365. You want to configure multi-factor authenication for users who will be logging in remotely. What should you do to make sure only remote users are required to use multi-factor authentication?

A. Disable directory sync

B. Disable web application proxy

C. Create an IP blacklist

D. Create an IP whitelist

 

Explanation: IP whitelist is used to bypass multi-factor authenication based on IP addresses or subnets. In this scenario, specify office subnet, which means internal users from the office will not be required to provide multi-factor authentication, except for remote users. IP blacklist can’t be created in Azure as it is anti-malware program blacklisting an IP address.

Web application proxy is used to redirect authentication requests that comes from outside office network to federation server farm. So disabling it would no longer allow users to remotely connect to office.

Disable directory synchronization would prevent users from using SSO and multi-factor authentication.

Correct answers: D – Create an IP whitelist

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s