7.2.4 Practice Questions
docx
keyboard_arrow_up
School
ITT Technical Institute Knoxville campus *
*We aren’t endorsed by this school
Course
2339
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
12
Uploaded by niavek
7.2.4 Practice Questions
Score: 63%
Passing Score: 80%
Individual ResponsesObjective Analysis
Question 1.
Correct
You are the network administrator for corpnet.com. You have implemented Active Directory Federation Services (AD FS). A vendor named partner.com has a web application named App1 that your users will access using AD FS. You need to export the AD FS metadata so that the administrator at partner.com can create a Claims Provider Trust.
Which node in the AD FS management console should you use?
answer
Attribute Stores
Correct Answer:
Endpoints
Claims Descriptions
Certificates
Explanation
You should use the Endpoints node.
The Endpoints node contains the URLs for the AS FS metadata. You would use the URL information in the Endpoints node to locate the metadata. Then you need to open the metadata in a browser and copy the source code to an XML file that can be sent to the partner organization.
AD FS includes built-in attribute stores that you can use to query for claim information from external data stores, such as Enterprise Active Directory, Lightweight Directory Access Protocol (LDAP) directories, and Microsoft SQL Server. You would need to configure an attribute store only if you intended to use claims from external data stores.
AD FS Claims Descriptions represent a list of claims types that AD FS supports and that may
be published in federation metadata. You would need to configure Claims Descriptions only if you need AD FS to use a claim that does not already exist.
The Certificates nodes contains the certificates used by AD FS. You could use the Certificates nodes to manage the certificates (for example, to export the Token Signing certificate for use by an application).
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_01.question.fex
Question 2.
Correct
You are the manager for the westsim.com domain. Your company has just started a collaborative effort with a partner company. Their network has a single domain named eastsim.com.
Users in your domain must be able to run an application located in the eastsim.com domain. The application must authenticate users and then control access within the application. You want to implement a single sign-on solution so that users do not need to have different user credentials or supply those credentials multiple times.
You need to configure this solution without allowing too many permissions. What should you do?
answer
Create a forest root trust between westsim.com and eastsim.com.
Implement Active Directory Rights Management Services (AD RMS).
Create a one-way external trust between westsim.com and eastsim.com.
Correct Answer:
Implement Active Directory Federation Services (AD FS).
Explanation
In this scenario, Active Directory Federation Services (AD FS) is a good choice. AD FS allows access to applications in partner organizations without creating Active Directory trusts.
It also allows for single sign-on of resources in the partner organization.
Use Active Directory Rights Management Services (AD RMS) to control access to digital documents. AD RMS can be used together with AD FS, but the access described in the scenario is allowed through AD FS, not AD RMS.
Using trust relationships would result in too many permissions being granted.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_02.question.fex
Question 3.
Incorrect
Keyboard Instructions
Match the appropriate Active Directory Federation Services (AD FS) partner type on the left with the task that partner is responsible for in a federation trust. Each partner type can be used more than once.
Storing user accounts in Active Directory
Account partner
Correct Answer:
Claim mapping
Incorrect Answer:
Account partner
Correct Answer:
Resource partner
Issuing security tokens for applications
Resource partner
Correct Answer:
Collecting and authenticating user credentials
Account partner
Correct Answer:
Issuing cookies to user accounts
Resource partner
Correct Answer:
Building claims for users
Account partner
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Correct Answer:
Packaging claims into security tokens
Incorrect Answer:
Resource partner
Correct Answer:
Account partner
Issuing security tokens to users
Account partner
Correct Answer:
Explanation
A federation trust is a one-way, non-transitive relationship that is established between an account partner and a resource partner. The account partner is the member that maintains the user accounts and is trusted to provide security tokens. The account partner is responsible for:
o
Storing user accounts in either an Active Directory store or an AD LDS store.
o
Collecting and authenticating user credentials.
o
Building up claims for users.
o
Packaging claims into security tokens.
o
Issuing security tokens to users in the account partner realm.
The resource partner is the member that holds resources that need to be accessed by users.
The resource partner is responsible for:
o
Validating the security tokens issued by the account partner.
o
Consuming (reading or interpreting) the claims that are packaged in security tokens to make authentication decisions regarding the level of resource access allowed. Claim mapping is the process of examining an incoming claim and filtering it to extract appropriate authorizations for a user.
o
Issuing security tokens for the applications.
o
Issuing cookies to the user accounts. These cookies allow the user to maintain Single Sign-On (SSO) login status when the user accesses multiple applications at the resource partner.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_03.question.fex
Question 4.
Incorrect
Keyboard Instructions
Match the Active Directory Federation Services (AD FS) component on the right with the appropriate description on the left.
Resource partner
Incorrect Answer:
A service that secures access to the web applications that are hosted on web servers.
Correct Answer:
A member of a federation partnership that trusts the Federation Service to provide claims-
based security tokens.
Claim
Incorrect Answer:
A member of a federation partnership that trusts the Federation Service to provide claims-
based security tokens.
Correct Answer:
A statement made by a server about a digital identity.
Single Sign-on
Incorrect Answer:
A digitally-signed object that contains claims for a given user.
Correct Answer:
An AD FS function that allows users to access multiple systems without repeatedly supplying login credentials.
Security token
Incorrect Answer:
A statement made by a server about a digital identity.
Correct Answer:
A digitally-signed object that contains claims for a given user.
Account partner
Incorrect Answer:
An AD FS function that allows users to access multiple systems without repeatedly supplying
login credentials.
Correct Answer:
A member of a federation partnership that is trusted by the Federation Service to provide security tokens.
AD FS web agent
Incorrect Answer:
A member of a federation partnership that is trusted by the Federation Service to provide security tokens.
Correct Answer:
A service that secures access to the web applications that are hosted on web servers.
Explanation
The following components are part of an overall AD FS implementation:
o
An account partner is the member of a federation partnership that is trusted by the Federation Service to provide security tokens.
o
The AD FS Web agent is an agent that is installed on an IIS web server that provides
secure access to the web applications that are hosted on web servers.
o
A claim is a statement made by a server about a digital identity, such as capabilities, entitlement rights, groups, keys, name, and privileges.
o
The resource partner is the member of a federation partnership that trusts the Federation Service to provide claims-based security tokens.
o
A security token is a digitally-signed object that contains claims for a given user.
o
Single Sign-on (SSO) is an authentication solution that allows a user to access multiple platforms without re-supplying their login credentials.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
q_adfs_trusts_spi4_04.question.fex
Question 5.
Incorrect
Keyboard Instructions
You are implementing a federated trust using Active Directory Federation Services (AD FS). Your organization is the accounts partner while the other organization is the resource partner. You've established a working relationship with a peer administrator in the resource partner organization.
The AD FS servers in both organizations require a certificate for issuing tokens. Certificate services in both organizations are provided by an Active Directory Certification Authority (AD CA) running on Windows Server 2012 R2.
You and your peer administrator need to configure both CAs to support the federated trust. Arrange the configuration tasks on the left that you need to complete in the correct order on the right.
Step 1
Incorrect Answer:
Enroll the SSL certificates on the AD FS servers.
Correct Answer:
Issue an SSL certificate to the root CAs in both forests.
Step 2
Incorrect Answer:
Issue an SSL certificate to the root CAs in both forests.
Correct Answer:
Export both root CAs' certificates.
Step 3
Incorrect Answer:
Configure each AD FS server to trust the root CAs from the other forest.
Correct Answer:
Enroll the SSL certificates on the AD FS servers.
Step 4
Configure each server to trust its own root CA.
Correct Answer:
Step 5
Incorrect Answer:
Export both root CAs' certificates.
Correct Answer:
Configure each AD FS server to trust the root CAs from the other forest.
Explanation
An AD FS server requires a certificate for issuing tokens; the token is digitally signed to verify
that the token was issued by the AD FS server. The following relationships must be configured:
o
The AD FS servers must trust the CAs where they get their own certificates from.
o
The accounts and resource partner servers must trust the CAs where they get their own certificates from.
o
The AD FS servers must trust the CAs from the other forest.
To configure these relationships, complete the following:
o
Issue an SSL certificate to the root CAs in both forests.
o
Export both root CAs' certificates.
o
Enroll the SSL certificates on the AD FS servers.
o
Configure each server to trust its own root CA.
o
Configure each AD FS server to trust the root CAs from the other forest.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_05.question.fex
Question 6.
Correct
You are configuring certificates for a federation trust. You've already issued SSL certificates to the root CAs in both the accounts and partner forests. Now you need to export both root root CAs' certificates so they can later be imported in the opposite forests.
Click on the option you would use in the Certificates MMC console to accomplish this task.
Correct Answer: selected
Explanation
An AD FS server requires a certificate for issuing tokens; the token is digitally signed to verify
that the token was issued by the AD FS server. For this process to work in a federated trust, the AD FS servers must trust the CAs from the other partner's forest. First, you must issue an SSL certificate to the root CAs in both forests. Then you need to export both root CAs' certificates.
To export these certificates, you must do the following on the root CAs in both forests:
o
In the Certificates console, navigate to Certificates > Personal > Certificates.
o
Right-click the CA certificate and select All Tasks > Export.
o
Use the Certificate Export wizard to export the CA certificate. Do not export the private key. Export the certificate to a DER encoded binary X.509 file.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_06.question.fex
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Question 7.
Correct
You are configuring certificates for a federation trust. You've already issued SSL certificates to the root CAs in both the accounts and partner forests and exported both root root CAs' certificates.
Now you need to import these certificates in the opposite forests. The accounts partner's certificate needs to be imported into the resource partner's CA and vice-versa.
Click on the option you would use in the Certificates MMC console to do this.
Correct Answer: selected
Explanation
An AD FS server requires a certificate for issuing tokens; the token is digitally signed to verify
that the token was issued by the AD FS server. For this process to work in a federated trust, the AD FS servers must trust the CAs from the other partner's forest. First, you must issue an SSL certificate to the root CAs in both forests. Then you need to export both root CAs' certificates.
To configure each AD FS server to trust the root CAs from the other forest., you must do the following on the root CAs in both forests:
o
In the Certificates console, right-click Trusted Root Certification Authorities and select All Tasks > Import.
o
Browse to and select the root CA certificate file exported from the CA in the other forest.
o
Import the certificate into the Trusted Root Certification Authorities store of the local computer.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_07.question.fex
Question 8.
Correct
You are the network administrator for corpnet.com. You have installed the Active Directory Federation Services (AD FS) Role on a server named ADFS1. The company hosts a web application named App1. You have created a Relying Party Trust that points to App1.
You plan to allow users from a vendor named partner.com access to App1. partner.com has implemented AD FS and created a Relying Party Trust that will send the user's email addresses and group membership to your AD FS server.
You need to configure AD FS to accept the claims coming from the partner.com AD FS server and send them to App1.
What should you do?
answer
Create a Relying Party trust and then create an Issuance Transform rule.
Correct Answer:
Create a Claims Provider trust and then create an Acceptance Transform rule.
Create a Relying Party trust and then create an Issuance Authorization rule.
Create a Relying Party trust and then create a Delegation Authorization rule.
Explanation
You should create a Claims Provider trust and then create an Acceptance Transform rule.
Whenever your AD FS server will be receiving claims from another organization, you must create a Claims Provider trust. Once the Claims Provider trust has been created, you will be prompted to create an Acceptance Transform rule. You create this rule to identify which claims will be coming from the partner AD FS server and how they will be passed to the application for which you have created a Relying Party trust.
You create a Relying Party trust to represent whatever application or AD FS server will be accepting claims from your AD FS server. Issuance Transform rules are used to identify the claims that will be passed to the Relying Party. For example, you can specify that the user's email address in Active Directory will be passed to the Relying Party as an outgoing claim type of email address.
Issuance Authorization rules are used to determine whether or not a user has access to a replying party application. Delegation Authorization determines whether a user can act as another user to the relying party.
References
o
7.2.1 AD FS Trusts
o
7.2.2 Creating an AD FS Trust
o
7.2.3 AD FS Trusts Facts
q_adfs_trusts_spi4_08.question.fex
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help