AD CS, AD FS, and AD RMS Flashcards
Implement Identity Federation and Access Solutions; Implement Active Directory Certificate Services
What is WIA?
Windows-Integrated Authentication
This is the traditional method of authentication using Active Directory.
What is FBA?
Forms-Based Authentication
When a server, such as a web application server, stores a user’s authentication information in a database specifically for that application.
For ADFS, what is Web Application Proxy?
This tool allows you to securely expose ADFS to the internet, so internet users can be redirected to it for authentication when accessing web applications.
With this, you don’t need to expose your ADFS server directly to the internet.
What is Microsoft Passport?
A former name for “Windows Hello for Business”
What are password-less options for authentication in ADFS?
- Azure MFA
- Device Registration
- Windows Hello for Business
What are new features for ADFS in 2016?
- Password-less Access
- Access Control Policies
- LDAP directory support
- Customized Sign-In page for each application
- Improved upgrade process, when upgrading from previous ADFS versions
- New features for developers
What steps to upgrade an AD FS farm from Version 3.0 / Server 2012 R2, to version 2016?
- First, add an ADFS 2016 node to your existing 2012R2 ADFS farm.
- If using WID: Make the ADFS 2016 Server the Primary Nodes, and the 2012R2 make Secondary. (Not necessary if using SQL.)
- Extend your AD Schema to 2016
- Remote all ADFS 2012 Nodes
- Upgrade the Farm Behavior Level (FBL)
What is a mixed farm?
An ADFS farm that includes both 2012R2 ADFS nodes, and ADFS 2016 nodes.
Typically, this would be a transitional stage before upgrading the entire farm to 2016.
What is FBL?
Farm Behavior Level
- A new feature in ADFS 2016.
- Refers to the version level that an ADFS farm operates at, whether 2012R2 or 2016.
- A farm with an FBL of 2012R2 may include 2016 nodes, but cannot use the new features of ADFS 2016 until the FBL is upgraded.
What are Primary and Secondary ADFS Servers?
In farms that use a WID:
- The Primary server / node has a writeable copy of the database.
- Secondary servers / nodes have a read-only replica of the database.
(This does not apply to farms that use a SQL database.)
What is AAD?
Azure Active Directory
What is required to synchronize on-premises ADFS with AAD?
- Create a custom Domain Name in AAD (you cannot sync ADFS with the default .onmicrsoft.com domain you get with an Azure subscription)
- Download and Install Azure AD Connect
- Federate Azure AD with ADFS (this is selected as an option during the installation of Azure AD Connect)
- During the installation, you will need the the credentials of an Azure AD user that is a Global Administrator, and an AD Domain Administrator account.
What is the default Domain Name that comes with an Azure Subscription?
.onmicrosoft.com
What computer should Azure AD Connect be installed on?
It can be installed on any server in your environment, whether a domain controller, the ADFS server itself, or any other.
How can you configure Azure MFA for authentication of on-prem applications using an on-prem Azure MFA Server?
- You need to install an on-prem Azure MFA Server
- You can install Azure MFA directly on the ADFS server; but if not, then you need the MFA Adapter for ADFS installed on the ADFS server.
- AAD is not required; no synchronization needed.
- This method supports either Server 2012R2 or 2016
- This only supports MFA for SECONDARY authentication.
How can you configure Azure MFA for authentication of on-prem applications WITHOUT using an on-prem MFA Server?
- ADFS in Server 2016 has a built-in Azure MFA Adapter (as such, this method only supports Server 2016).
- You need AAD, and have it synchronized with your on-prem ADFS.
- To facilitate this, you need Azure AD Premium.
- This method supports MFA for either primary or secondary authentication.
- If using it for primary, your clients will need to use the Microsoft Authenticator App on their phones.
What is the Azure MFA Provider, and how does it work?
A service that runs in the cloud, which can communicate with mobile phones, either through text message, phone call, or mobile app.
- It provides a code that is generated every 30 seconds for MFA purposes.
- It is available for cloud applications within Azure.
- To use it with on-prem applications, you need either an MFA Server, or an on-prem 2016 ADFS which is synchronized with AAD.
For Device Registration, where are devices registered?
- When device registration is turned on in ADFS for Server 2012R2, devices are registered in an on-prem AD.
- When device registration is turned on in ADFS for Server 2016, they are registered in AAD, though it can sync back to the on-prem AD with AAD Connect.
How are devices registered with Device Registration?
For Windows 7, 8, and 8.1, they use “Workplace Join.”
In Windows 10, they use “Add a work or school account.”
How is a Windows Hello PIN more secure than a password?
- It is tied to the device, so even if an attacker knew your PIN, it cannot be used anywhere other than on the device
- It’s backed by the TPM, when available
- It is only stored on the device, not on any server
What is Windows Hello, and how does it work?
A form of two-factor authentication that is tried to a device (factor 1), and uses either a PIN or biometric authentication (factor 2).
The second factor of authentication is called a “Hello.” It could be a fingerprint, a gesture, or facial recognition.
Once unlocked by the “Hello,” the credential on the device is sent to ADFS.
This credential is based either on a certificate or a cryptographic key, which is bound to the TPM if the device has one, or otherwise is created in software.
(The public key is stored in AD or AAD.)
HOW THE FUCK DOES IT WORK?
- From within Office 365, run the Directory Synchronization Wizard.
- This first downloads a utility to evaluate your environment’s AD, domain, objects, etc.
- Next, you must select or add a routable domain, which cannot be the default one that comes with AAD.
- Add necessary records to your domain’s DNS, depending on what Office 365 services you want to use.
- Use IDFix to look for and resolve any problems in your directory.
- Run Azure AD Connect, selecting to Federate with ADFS.
What is AD LDS?
Active Directory Lightweight Directory Services
An LDAP directory that comes with Windows Server. Multiple instances of AD LDS can exist on a single server, each of which can have its own schema.
What is ADFS Proxy?
An older technology, which Web Application Proxy has replaced since Server 2012 R2.
What port does Web Application Proxy use to communicate with ADFS?
TCP 443
How is WAP installed and configured?
Through Add Roles & Features:
- Since 2012 R2, WAP is a role service under the Remote Access server role.
- You can then use the configuration wizard to provide the ADFS server name, admin credentials for ADFS, and the certificate.
Through PowerShell:
- Install-WindowsFeature Web-Application-Proxy
- Install-WebApplicationProxy -FederationServiceName “adfsservername” -FederationServiceCredential $Credential -CertificateThumprint $Thumbprint
What is the configuration for WAP stored?
On the ADFS server.
How can you provide High Availability for WAP?
It has nothing built-in, so you would have to put it behind a Network Load Balancer.
What GUI tool is used to manage WAP?
Remote Access Management Console
When publishing an application through WAP, what pre-authentication options are available?
- ADFS: unauthenticated client requests are redirected to the ADFS server. After successful authentication, they are forwarded to the backend application server.
- Pass-through: WAP does not perform any pre-authentication, and just forwards all requests to the backend application server. The application itself will need to do the authentication. (This could be useful for applications using FBA.)
What are new features for WAP in Server 2016?
- Preauthentication for HTTP Basic applications.
- HTTP to HTTPS redirection. (Previously, you had to do a lot of complication manually configuration with IIS to make this work; now’s it just a check box in WAP.)
- Wildcard domain publishing of applications.
- HTTP Publishing
- Publishing of Remote Desktop Gateway apps
What must be provided when publishing an application to WAP?
- the internal URL of the application / backend server
- The thumbprint for the certificate for the application
- the external URL that will be used by clients to access WAP for this application.
- the name to be displayed in the WAP interface
- the external pre-authentication method
- The name of the Relying Party Trust in ADFS.
How do you configure HTTP to HTTPS redirect for WAP?
It’s a simple check box that you mark when publishing an application.
However, WAP does not open port 80 by default.
So, you also need to create a firewall rule to allow inbound traffic over TCP 80.
What does a client need to do to connect to a Remote Desktop Gateway (RDG) Application through WAP?
They need to be using a Microsoft Web Browser, such as IE, and they need to install the ActiveX control that they’re prompted for on the login screen.
If the Published App isn’t configured for Pass-through authentication, then the client will also need to log in twice, once to the WAP, and once to the Remote Desktop Gateway.
What is RDG?
Remote Desktop Gateway
What is AD RMS, and what does it do?
Active Directory Rights Management Services
A Server Role that allows you to create Information Rights Management policies.
The access policies are applied to documents and e-mail messages, and remain with the content as it moves, both online and offline.
Policies are enforced through encryption, certificates, and authentication.
What AD RMS Policy rights can be configured?
- Full Control
- View
- Edit
- Save
- Export (Save As)
- Extract (Copy)
- Forward (for e-mail)
- Reply (for e-mail)
- Reply All (for e-mail)
- Allow Macros
- View Rights
- Edit Rights
How do you install AD RMS using the GUI?
In Roles and Features, install the role “AD Rights Management Services”
Using the GUI, how do you configure an envrionment’s first AD RMS server?
After installing the role,
- Open the configuration Wizard.
- Create a new AD RMS root cluster.
- Choose a SQL server, or use WID (only if you won’t be clustering).
- Specify the service account that RMS will run under. It must be a domain user, but does not need any particular permissions.
- Configure the AD RMS Cluster Key
What is a CSP?
Cryptographic Service Provider
You can offload the processing required for cryptography to the CSP.
What is an SCP, and how does it work?
Service Connection Point
- It is an object in AD that provides the intranet URL of the AD RMS cluster, allowing RMS-aware clients and applications to discover the cluster automatically.
- Only one SCP can exist per forest in AD.
- It is created automatically when the first AD RMS cluster is deployed (though you can opt not to create one). Any future changes to the SCP from then on must be made manually.
What is included in a Distributed Rights Policy Template?
- The name, and description (which is required)
- Any number of users and groups, which are identified by e-mail address; and the rights assigned to each of them
- The expiration settings for the content
- Additional conditions
- The revocation policy
What happens if a file protected by a AD RMS policy goes past its expiration date?
There are two expirations that can be configured:
Content expiration: The content cannot be accessed until it is republished.
Use license expiration: The user will have to reconnect to the RMS server to obtain a new license. (The use license is cached on the client computer once it’s obtained).
How does Revocation work in AD RMS?
If a revocation policy has been configured in a Rights Policy Template, it points to the URL of a location where the revocation list is published, and settings for how often to check the list, and the public key for the list.
The revocation list contains factors to deny permission to content. Factors include content ID, users, applications, etc.
What is the RMS Client 2.1?
The RMS Client comes installed on every version of Windows from Vista and newer, but 2.1 is a newer version.
For added functionality, it needs to be downloaded and installed. Even Windows 10 doesn’t include this newer version of the client.
One feature it adds, is that by editing the Registry, you can modify how frequently templates are refreshed.
How do you backup and restore AD RMS?
You need three three things:
- A securely backup copy of the Cluster Key Password
- An export of the Trusted Publishing Domain (exported as an XML file). (Can be exported using the AD RMS Administrative Console.)
- A backup the RMS Configuration Database (which could be WID or SQL)
What three Databases does AD RMS use?
- Configuration Database
- Directory Services Database
- Logging Database
What ports must be opened in the firewall between a WAP and the internet, and what are they for?
- Port 443 for device authentication of remote users.
- Port 49443 for certificate authentication of remote users.
If using AAD:
- Port 80 for downloading certificate revocation lists to verify SSL certificates
- Port 5985 as the WinRM listener.
How do you add an AD RMS server to an existing RMS cluster with PowerShell?
Either with:
• New-PSDrive
or
• Install-ADRMS
or its alias,
• Install-RMS
What is this cmdlet for?
Install-ADRMS
This is used to create a new AD RMS cluster, or join an existing cluster.
What does a Certificate Authority do?
A CA binds public keys with the respective identities of entities.
- This binding is done through a process of registration and issuance of certificates.
- Certificates have a public key binded with them.
What is AD CS?
Active Directory Certificate Services
Provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.
What is the difference between a Standalone CA and an Enterprise CA?
- A standalone can exist offline, but an Enterprise cannot exist offline.
- Standalone does not depend on AD DS, but Enterprise does.
- A standalone can only get certificates via manual procedure or web enrollment. Enterprise can use these, plus auto-enrollment, enrollment on behalf, or web services enrollment.
- In standalone, all certificates must be approved manually. In Enterprise, they can be issued of denied automatically based on policy.
- Standalone CAs do not support templates. (Therefore, no automatic key archival.)
What is a CRL?
Certificate Revocation List
It is published by a CA, and contains a list certificates that have been revoked. Clients check the CRL when they need to confirm certificates, to check whether the certificates are still valid.
The CRL is cached by clients, who will update it on a set schedule.
What is the current standard, recommended key character length for CAs to use, and what is the actual minimum?
Standard: 4096.
The default is 2048.
What is a CDP?
CRL Distribution Point
(Certificate Revocation List Distribution Point)
• Included in a certificate, it tells clients where to look for the CRL.