Testbank Lesson 18 – Flashcards

Unlock all answers in this set

Unlock answers
question
What benefit does Single Sign-On provide for application users? a. Prohibits users from being able to register multiple accounts within an application b. Prevents users from needing to remember multiple usernames and passwords. c. Provides users an easy way to remember the login information for the application d. Provides for faster account lockout remediation
answer
b. Prevents users from needing to remember multiple usernames and passwords. Difficulty: Easy Section Ref: Understanding Active Directory Federation Services Explanation: Single Sign-On (SSO) for web-based applications prevents users from needing to remember multiple usernames and passwords, one for each application.
question
Which of the following are supported as attribute stores for AD FS? a. ADAM in Windows Server 2003, and AD LDS in Windows Server 2008 and higher b. Microsoft SQL Server 2005 c. Microsoft SQL Server 2008 d. All of the above
answer
Answer: D d. All of the above Difficulty: Easy Section Ref: Implementing AD FS Explanation: AD FS supports the following attribute stores: • Active Directory Application Mode (ADAM) in Windows Server 2003 • Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 • Microsoft SQL Server 2005 (all editions) • Microsoft SQL Server 2008 (all editions) • A custom attribute store
question
In order to utilize AD FS, what is the oldest version of Windows Server that any domain controller can be using? a. Windows Server 2003 SP1 b. Windows Server 2008 SP1 c. Windows Server 2008 R2 d. Windows Server 2012 e. Windows Server 2012 R2
answer
a. Windows Server 2003 SP1 Answer: A Difficulty: Medium Section Ref: Implementing AD FS Explanation: The domain controllers must be running a minimum of Windows Server 2003 with SP1.
question
What options are available for the storage of the AD FS configuration settings? (Choose all that apply) a. SQL Server b. AD LDS or ADAM c. Windows Internal Database d. AD DS
answer
Answer: A, C Difficulty: Hard Section Ref: Implementing AD FS Explanation: The actual AD FS configuration settings (not the attribute store data) can either be stored in an SQL server instance or locally on the AD FS server within the Windows Internal Database.
question
What PowerShell cmdlet would you use to list the attribute stores currently configured for AD FS? a. List-ADFSAttributeStore b. Show-ADFSAttributeStore c. Display-ADFSAttributeStore d. Get-ADFSAttributeStore
answer
d. Get-ADFSAttributeStore Difficulty: Hard Section Ref: Implementing AD FS Explanation: You will use the Get-ADFSAttributeStore cmdlet to list the attribute stores currently configured for AD FS
question
What add-on component can you download from the Microsoft.com website to create a test Windows Identity Foundation (WIF) application that you can use to test AD FS claims-based authentication? a. AD FS Claims-Based Authentication Accelerator b. Windows Identity Foundation SDK 4.0 c. Windows Identity Foundation 3.5 d. AD FS Sample Application Accelerator
answer
b. Windows Identity Foundation SDK 4.0 Difficulty: Medium Section Ref: Implementing Claims-Based Authentication Explanation: You would need to download and install the Windows Identity Foundation SDK 4.0 to create a sample WIF application for testing AD FS claims-based authentication.
question
While testing AD FS claims-based authentication with a sample application, you encounter an error due to the self-signed certificate you opted to use. What can you do to eliminate this error? (Choose all that apply) a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store b. Add the self-signed certificate to the application server's Trusted Root Certification Authorities store c. Issue a valid certificate from your internal CA d. Configure AD FS to ignore self-signed certificate errors
answer
a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store c. Issue a valid certificate from your internal CA Difficulty: Medium Section Ref: Implementing Claims-Based Authentication Explanation: You can either issue a valid certificate or configure your computer to trust the self-signed certificate
question
By default, the AD FS server is configured with a claims provider trust named Active Directory. If you are communicating with other organizations, you need to create additional claims provider trusts for each federated organization. What options are available to get the data you need for the creation of these claims provider trusts? (Choose all that apply) a. Import data about the claims provider through the federation metadata b. Manually configure the claims provider trust c. Import data about the claims provider from a file d. Create a site-to-site VPN tunnel to bridge networks together
answer
a. Import data about the claims provider through the federation metadata b. Manually configure the claims provider trust c. Import data about the claims provider from a file Answer: A, B, C Difficulty: Medium Section Ref: Configuring Claims Provider Trust Rules Explanation: If you are communicating with other organizations, you need to create additional claims provider trusts for each federated organization. The Claims Provider Trust has similar options to the relying party trusts. The options include: • Import data about the claims provider through the federation metadata. • Import data about the claims provider from a file. • Manually configure the claims provider trust.
question
What step(s) will you need to perform while configuring a claims provider trust that you will not need to perform while configuring a relying party trust? (Choose all that apply) a. Map attributes b. Specify the application c. Edit claims rules d. Provide a URL for the partner federation server
answer
Difficulty: Hard a. Map attributes c. Edit claims rules Section Ref: Configuring Claims Provider Trust Rules Explanation: Mapping attributes is a step of editing and configuring claims rules, which is performed when configuring a claims provider trust, but not a relying party trust.
question
In Windows Server 2012 R2, which of the following is used to control who can use an AD FS application or service? a. Usage policies b. Proxy policies c. Rights policies d. Authentication policies
answer
d. Authentication policies Answer: D Difficulty: Medium Section Ref: Configuring Authentication Policies Explanation: In Windows Server 2012 R2, AD FS can be accessed with authentication policies and multi-factor authentication (including using user, device, location, and authentication data). The authentication policy specifies the type of authentication globally for applications and services that are secured by AD FS or for a particular application per relying party trust.
question
In AD FS, which of the following allows you to create issuance authorization rules for relying party applications and allows you to use custom 'Access Denied' message? a. Relying party permission policy b. Multifactor access control c. Usage policy d. Federation Service proxy
answer
b. Multifactor access control Difficulty: Hard Section Ref: Configuring Multi-Factor Authentication Explanation: Using multifactor access control with AD FS in Windows Server 2012 R2 provides the following benefits: • Allows for flexible authorization policies that allow you to permit or deny access based on user, device, network location, and authentication state • Allows creating issuance authorization rules for relying party applications • Provides a rich UI experience for the common multifactor access control scenarios • Provides rich claims language and Windows PowerShell support for advanced multifactor access control scenarios • Allows you to use custom 'Access Denied' messages
question
Which of the following features allows you to join a device (such as a smart phone) to the organization network without joining the device to the Active Directory domain? a. Workplace Join b. Domain Join c. Universal Join d. Global Join
answer
a. Workplace Join Difficulty: Easy Section Ref: Configuring Workplace Join Explanation: With Workplace Join, users can join their devices to the organization network without joining the device to the Active Directory domain. You can then manage access based on a wide range of attributes.
question
Which of the following services is used to provision a device object in AD DS and issue a certificate for the Workplace-Joined Device? a. Domain Join Service b. AD FS Authentication Service c. Device Registration Service d. Device Emulation Service
answer
c. Device Registration Service Difficulty: Medium Section Ref: Configuring Workplace Join Explanation: When the user joins the devices using Workplace Join, the device becomes a known device. The Device Registration Service (DRS) provisions a device object in AD DS and issues a certificate for the Workplace-Joined device. The certificate will be used to represent device identity when accessing organization resources.
question
Which of the following commands would be the best option to use to configure a new AD FS farm using the Windows Internal Database? a. fsconfig.exe StandAlone b. fsconfig.exe CreateFarm c. fsconfig.exe CreateSQLFarm d. fsconfig.exe JoinFarm
answer
b. fsconfig.exe CreateFarm Difficulty: Easy Section Ref: Implementing AD FS Explanation: You will need to use the fsconfig.exe CreateFarm command to configure a new AD FS farm using the Windows Internal Database
question
Which of the following components of Active Directory Federation Services is a statement made by a trusted entity and includes information identifying the entity? a. Federation server proxy b. Claims provider c. Relying party d. Claim
answer
d. Claim Difficulty: Medium Section Ref: Understanding Active Directory Federation Services Explanation: Claims are statements made by a trusted entity about an object such as a user that includes key information identifying the user
question
Which of the following components of Active Directory Federation Services is responsible for forwarding packets from external hosts to internal federation servers? a. Federation server proxy b. Claims provider c. Relying party d. Claim
answer
a. Federation server proxy Difficulty: Medium Section Ref: Understanding Active Directory Federation Services Explanation: The Federation server proxy is an optional component that is usually deployed in a perimeter network such as DMZ that can receive externally and forward the packets to the internal federation server.
question
Which of the following components of Active Directory Federation Services is the server that issues claims and authenticates users? a. Federation server proxy b. Claims provider c. Relying party d. Claim
answer
b. Claims provider Difficulty: Medium Section Ref: Understanding Active Directory Federation Services Explanation: The claims provider is the server that issues claims and authenticates users.
question
Which of the following components of Active Directory Federation Services is the application or web service that accepts claims? a. Federation server proxy b. Claims provider c. Relying party d. Claim
answer
c. Relying party Difficulty: Medium Section Ref: Understanding Active Directory Federation Services Explanation: The Relying party is the application or web service that accepts claims from the claims provider.
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New