Testbank Lesson 18 – Flashcards
Unlock all answers in this set
Unlock answersquestion
What benefit does Single Sign-On provide for application users?
a. Prohibits users from being able to register multiple accounts within an application
b. Prevents users from needing to remember multiple usernames and passwords.
c. Provides users an easy way to remember the login information for the application
d. Provides for faster account lockout remediation
answer
b. Prevents users from needing to remember multiple usernames and passwords.
Difficulty: Easy
Section Ref: Understanding Active Directory Federation Services
Explanation: Single Sign-On (SSO) for web-based applications prevents users from needing to remember multiple usernames and passwords, one for each application.
question
Which of the following are supported as attribute stores for AD FS?
a. ADAM in Windows Server 2003, and AD LDS in Windows Server 2008 and higher
b. Microsoft SQL Server 2005
c. Microsoft SQL Server 2008
d. All of the above
answer
Answer: D
d. All of the above
Difficulty: Easy
Section Ref: Implementing AD FS
Explanation: AD FS supports the following attribute stores:
• Active Directory Application Mode (ADAM) in Windows Server 2003
• Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2
• Microsoft SQL Server 2005 (all editions)
• Microsoft SQL Server 2008 (all editions)
• A custom attribute store
question
In order to utilize AD FS, what is the oldest version of Windows Server that any domain controller can be using?
a. Windows Server 2003 SP1
b. Windows Server 2008 SP1
c. Windows Server 2008 R2
d. Windows Server 2012
e. Windows Server 2012 R2
answer
a. Windows Server 2003 SP1
Answer: A
Difficulty: Medium
Section Ref: Implementing AD FS
Explanation: The domain controllers must be running a minimum of Windows Server 2003 with SP1.
question
What options are available for the storage of the AD FS configuration settings? (Choose all that apply)
a. SQL Server
b. AD LDS or ADAM
c. Windows Internal Database
d. AD DS
answer
Answer: A, C
Difficulty: Hard
Section Ref: Implementing AD FS
Explanation: The actual AD FS configuration settings (not the attribute store data) can either be stored in an SQL server instance or locally on the AD FS server within the Windows Internal Database.
question
What PowerShell cmdlet would you use to list the attribute stores currently configured for AD FS?
a. List-ADFSAttributeStore
b. Show-ADFSAttributeStore
c. Display-ADFSAttributeStore
d. Get-ADFSAttributeStore
answer
d. Get-ADFSAttributeStore
Difficulty: Hard
Section Ref: Implementing AD FS
Explanation: You will use the Get-ADFSAttributeStore cmdlet to list the attribute stores currently configured for AD FS
question
What add-on component can you download from the Microsoft.com website to create a test Windows Identity Foundation (WIF) application that you can use to test AD FS claims-based authentication?
a. AD FS Claims-Based
Authentication Accelerator
b. Windows Identity Foundation SDK 4.0
c. Windows Identity Foundation 3.5
d. AD FS Sample Application Accelerator
answer
b. Windows Identity Foundation SDK 4.0
Difficulty: Medium
Section Ref: Implementing Claims-Based Authentication
Explanation: You would need to download and install the Windows Identity Foundation SDK 4.0 to create a sample WIF application for testing AD FS claims-based authentication.
question
While testing AD FS claims-based authentication with a sample application, you encounter an error due to the self-signed certificate you opted to use. What can you do to eliminate this error? (Choose all that apply)
a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store
b. Add the self-signed certificate to the application server's Trusted
Root Certification Authorities store
c. Issue a valid certificate from
your internal CA
d. Configure AD FS to ignore self-signed certificate errors
answer
a. Add the self-signed certificate to your computer's Trusted Root Certification Authorities store
c. Issue a valid certificate from
your internal CA
Difficulty: Medium
Section Ref: Implementing Claims-Based Authentication
Explanation: You can either issue a valid certificate or configure your computer to trust the self-signed certificate
question
By default, the AD FS server is configured with a claims provider trust named Active Directory. If you are communicating with other organizations, you need to create additional claims provider trusts for each federated organization. What options are available to get the data you need for the creation of these claims provider trusts? (Choose all that apply)
a. Import data about the claims provider through the federation metadata
b. Manually configure the claims provider trust
c. Import data about the claims provider from a file
d. Create a site-to-site VPN tunnel to bridge networks together
answer
a. Import data about the claims provider through the federation metadata
b. Manually configure the claims provider trust
c. Import data about the claims provider from a file
Answer: A, B, C
Difficulty: Medium
Section Ref: Configuring Claims Provider Trust Rules
Explanation: If you are communicating with other organizations, you need to create additional claims provider trusts for each federated organization. The Claims Provider Trust has similar options to the relying party trusts. The options include:
• Import data about the claims provider through the federation metadata.
• Import data about the claims provider from a file.
• Manually configure the claims provider trust.
question
What step(s) will you need to perform while configuring a claims provider trust that you will not need to perform while configuring a relying party trust? (Choose all that apply)
a. Map attributes
b. Specify the application
c. Edit claims rules
d. Provide a URL for the partner federation server
answer
Difficulty: Hard
a. Map attributes
c. Edit claims rules
Section Ref: Configuring Claims Provider Trust Rules
Explanation: Mapping attributes is a step of editing and configuring claims rules, which is performed when configuring a claims provider trust, but not a relying party trust.
question
In Windows Server 2012 R2, which of the following is used to control who can use an AD FS application or service?
a. Usage policies
b. Proxy policies
c. Rights policies
d. Authentication policies
answer
d. Authentication policies
Answer: D
Difficulty: Medium
Section Ref: Configuring Authentication Policies
Explanation: In Windows Server 2012 R2, AD FS can be accessed with authentication policies and multi-factor authentication (including using user, device, location, and authentication data). The authentication policy specifies the type of authentication globally for applications and services that are secured by AD FS or for a particular application per relying party trust.
question
In AD FS, which of the following allows you to create issuance authorization rules for relying party applications and allows you to use custom 'Access Denied' message?
a. Relying party permission policy
b. Multifactor access control
c. Usage policy
d. Federation Service proxy
answer
b. Multifactor access control
Difficulty: Hard
Section Ref: Configuring Multi-Factor Authentication
Explanation: Using multifactor access control with AD FS in Windows Server 2012 R2 provides the following benefits:
• Allows for flexible authorization policies that allow you to permit or deny access based on user, device, network location, and authentication state
• Allows creating issuance authorization rules for relying party applications
• Provides a rich UI experience for the common multifactor access control scenarios
• Provides rich claims language and Windows PowerShell support for advanced multifactor access control scenarios
• Allows you to use custom 'Access Denied' messages
question
Which of the following features allows you to join a device (such as a smart phone) to the organization network without joining the device to the Active Directory domain?
a. Workplace Join
b. Domain Join
c. Universal Join
d. Global Join
answer
a. Workplace Join
Difficulty: Easy
Section Ref: Configuring Workplace Join
Explanation: With Workplace Join, users can join their devices to the organization network without joining the device to the Active Directory domain. You can then manage access based on a wide range of attributes.
question
Which of the following services is used to provision a device object in AD DS and issue a certificate for the Workplace-Joined Device?
a. Domain Join Service
b. AD FS Authentication Service
c. Device Registration Service
d. Device Emulation Service
answer
c. Device Registration Service
Difficulty: Medium
Section Ref: Configuring Workplace Join
Explanation: When the user joins the devices using Workplace Join, the device becomes a known device. The Device Registration Service (DRS) provisions a device object in AD DS and issues a certificate for the Workplace-Joined device. The certificate will be used to represent device identity when accessing organization resources.
question
Which of the following commands would be the best option to use to configure a new AD FS farm using the Windows Internal Database?
a. fsconfig.exe StandAlone
b. fsconfig.exe CreateFarm
c. fsconfig.exe CreateSQLFarm
d. fsconfig.exe JoinFarm
answer
b. fsconfig.exe CreateFarm
Difficulty: Easy
Section Ref: Implementing AD FS
Explanation: You will need to use the fsconfig.exe CreateFarm command to configure a new AD FS farm using the Windows Internal Database
question
Which of the following components of Active Directory Federation Services is a statement made by a trusted entity and includes information identifying the entity?
a. Federation server proxy
b. Claims provider
c. Relying party
d. Claim
answer
d. Claim
Difficulty: Medium
Section Ref: Understanding Active Directory Federation Services
Explanation: Claims are statements made by a trusted entity about an object such as a user that includes key information identifying the user
question
Which of the following components of Active Directory Federation Services is responsible for forwarding packets from external hosts to internal federation servers?
a. Federation server proxy
b. Claims provider
c. Relying party
d. Claim
answer
a. Federation server proxy
Difficulty: Medium
Section Ref: Understanding Active Directory Federation Services
Explanation: The Federation server proxy is an optional component that is usually deployed in a perimeter network such as DMZ that can receive externally and forward the packets to the internal federation server.
question
Which of the following components of Active Directory Federation Services is the server that issues claims and authenticates users?
a. Federation server proxy
b. Claims provider
c. Relying party
d. Claim
answer
b. Claims provider
Difficulty: Medium
Section Ref: Understanding Active Directory Federation Services
Explanation: The claims provider is the server that issues claims and authenticates users.
question
Which of the following components of Active Directory Federation Services is the application or web service that accepts claims?
a. Federation server proxy
b. Claims provider
c. Relying party
d. Claim
answer
c. Relying party
Difficulty: Medium
Section Ref: Understanding Active Directory Federation Services
Explanation: The Relying party is the application or web service that accepts claims from the claims provider.
