Section 3 - Chapter 17

Question 1

AD FS - Federation Service

Answer 1

Created by servers that share a trust policy

Question 2

AD FS - Federation Service Proxy

Answer 2

Server sits in perimeter, passes info from user’s browser to the federation service

Question 3

AD FS - 3 Architectural Designs

Answer 3

Federated Web SSO - links apps contained within an extranet in resource orgs to internal directory store of accounts org

Web SSO - used when users do not have AD DS accounts

Federation with Cloud Services - access to cloud-based services

Question 4

AD FS - Account Federation Server

Answer 4

Server that is hosted in the account orgs internal network

Performs claims mapping and issues tokens

Authenticates user

Extracts federation attributes and group membership for attribute store

Creates claim

Generates and signs security token

Question 5

AD FS - Configuration db

Answer 5

db stores config data for AD FS instance or Federation Service

SQL (all read/write), 2005 or later, fsconfig.exe to create, located centrally, no need to place on federation server, auto discard token replays when detected
or
WID (first primary read/write, all others read), AD FS Fed Server Config Wiz, stand alone or farm deployment

Question 6

AD FS - Identity Metasystem Interoperability Protocol (IMIP)

Answer 6

Outlines how to provision Information Cards

Question 7

AD FS - Information Cards

Answer 7

Digital Identities

Managed - issued by claims providers

Personal - issued by users themselves

Question 8

AD FS - Information Card Group Policies

Answer 8

Two GPOs that outline how to provision and how to use Information Cards in AD DS

Question 9

AD FS - Security Assertion Markup Language (SAML)

Answer 9

Web SSO protocol that outlines http web browser redirects to exchange assertion data used to authenticate and authorize clients across firewalls

Question 10

AD FS - SAML Security Token

Answer 10

Special data format used to exchange claims between claims providers and relying parties

Question 11

AD FS WS-Federation

Answer 11

Web server specification outlines standards to be used when implementing federation

Question 12

AD FS Components

Answer 12

Attribute Store - db or directory, stores user accounts and attributes

AD FS Config db - scope of a single instance

Claims

Claim Rules

Question 13

AD FS Claims Value and Sources

Answer 13

AD FS supports access to apps thru generation of claims

Value sourced thru attribute store or transformed into another by applying a rule

Supported: UPN, email, common name, group membership, private personal identifiers, SAML name identifiers, user account or group account SIDs, Windows account names

Question 14

AD FS - Claim Rules

Answer 14

Business logic that takes incoming claims, applies conditions and generates outgoing claims

Processed thru claims engine

Support permission or dential of access to resources within the Federation Service

Processing: passed thru as is, filtered to specific condition, transformed to new claim

Question 15

AD FS - Claims Templates

Answer 15

Pass thru or filter incoming claim

Transform incoming claim

Send LDAP attributes as claim

Send group membership as claim

Send claims using custom rules

Permit or deny users based on incoming claims

Permit all users

Question 16

AD FS - Federation Server Certs

Answer 16

Server Authentication Cert - secures web traffic between federation server and Federation Service Proxy or web clients, bound to Default Web Site, aka Server Communication Cert

Token Signing Cert - ensures that security token cannot be tampered with during transit

AD FS issues a self signed cert at install, replace with a trusted root

Verification Cert - public key of token signing cert

Question 17

AD FS - Federation Service Proxies Certs

Answer 17

Server Authentication Cert to support SSL encrypted communication with web clients

Question 18

AD FS and AD CS

Answer 18

FS can rely on CA for certs

Certs must be trusted cert authorities for outward facing roles

If not trusted, you must modify the Trusted CA store on each web client

Question 19

AD FS 2.0 vs 1.1

Answer 19

Built on interoperability standards of OASIS

Can now be integrated with 3rd party attribute stores

AD LDS no longer supported as an attribute store

Windows NT token based web agent no longer supported

Claims aware web agent for SharePoint 2007 no longer supported, use SharePoint 2010

Federated Web SSO with Forest Trust deployment no longer supported

Question 20

AD FS Time Sync

Answer 20

Time cannot be off by more than 5 minutes, token time stamps will be invalid, use PDC Emulator Operations Master for clock synch

Use Network Time Protocol (NTP) to linke servers to external clock

Question 21

AD FS Config

Answer 21

Import server authentication cert to default web servers

Config federation servers and federation server proxies (FSPs) in each AD DS domain

Config token-signing and token-decrypting certs on federation servers

Verify operational

Question 22

AD FS - PowerShell

Answer 22

AD FS support module-

add-PSSnapin Microsoft.Adfs.Powershell

Federation server proxies can only be managed thru WinPS

Question 23

AD FS - Files Installed

Answer 23

Windows PowerShell
.Net Framework 
Web Server (IIS)
Windows Identity Foundation

Question 24

AD FS - Default Web Sites Config

Answer 24

Admin Tools, IIS Manager, ServerName, Server Certs, Create Cert

Sites, Default Web Site, bindings

Question 25

AD FS Config Wizard

Answer 25

Stop AD FS server
Start WID db service
Generate signing and token encryption certs and set to auto rollover
Select SSL Cert
Assign Network Service Account - gives access to db, cert private keys and end points
Enable default set of end points
Deploy browser sign in web site
Federation Service name Server03.contoso.com
Start AD FS server

Question 26

AD FS Client Computers

Answer 26

Enable IE to access and trust the account federation server

GPMC - User Config, Policies, Windows Settings, IE Maintenance, Security

Distribute federation certs to clients

GPMC - Computer Config, Policies\Windows Settings\Secuirty Settings\Public Key Policies

Trusted Root Cert Authorities, Import