Your network contains a perimeter network and an internal network. The internal network
contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The
infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network.
You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
A.
The FQDN of the AD FS server
B.
The name of the Federation Service
C.
The name of the Active Directory domain
D.
The public IP address of Server2
Explanation:
A) It must contain the FQDN
http://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc782620(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc759635(v=ws.10).aspx
I would think the answer would be B – The name of the Federation Service.
http://technet.microsoft.com/en-us/library/dd807054.aspx
Look at para:
It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box.
B is correct
http://technet.microsoft.com/en-us/library/dd807054.aspx
It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in. T
A is correct:
In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.fabrikam.com.
Federation service name = The FQDN of the AD FS server
http://technet.microsoft.com/en-us/library/dn528859.aspx
Any confirmation on this??
its very confusing, but I have to go with B, as TechNet says
It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in.
so if it ends up to be the FQDN of the server so be it, still its the Federation service name.
Technet is not very clear on this. This is what I’ve found: http://technet.microsoft.com/en-us/library/dn383662.aspx
Subject has to be the FQDN of the server and resolvable on the internet (obvious as it’s a web service). The Common name of the certificate should also be the FQDN, or the Federation Service Name. In most cases both are identical if the server is internet facing. So I think the trick in this question is that option A. refers to the FQDN of the AD FS server, and not to the FQDN of the ADFS Proxy server (which should have been correct).
That leaves option B.
Outstanding reply. I believe that you are right. I was a little confused as well but technet is very specific about ensuring that the Federation service name be included in the certificate.
My confusion was regarding the fact that the Federation service name should normally be the FQDN of the ADFS server. The difference here, as you stated, is that you are using a AFDS Proxy Server, so A cannot be correct and would only be correct if it said “The FQDN of the AFDS Proxy Server.”
tell the answer plzzzz correct ????
The answer is A! You must associate the FQDN with the service name..
http://social.technet.microsoft.com/wiki/contents/articles/4177.ad-fs-2-0-guidance-for-selecting-and-utilizing-a-federation-service-name.aspx
https://technet.microsoft.com/en-us/library/dn528859.aspx
On the Federation Server dialog, do the following, and then click Next:
In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.fabrikam.com.
On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.
The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.fabrikam.com.
Correction:
The Answer is B
http://social.technet.microsoft.com/wiki/contents/articles/4177.ad-fs-2-0-guidance-for-selecting-and-utilizing-a-federation-service-name.aspx
3. The subject of all SSL certificates in the farm, including all Federation Servers and Federation Server Proxies, must utilize the Federation Service Name. It is important to note that wildcard and Subject Alternative Name (SAN) certificates are supported.
Example of a failing scenario
The Federation Service Name is SSO.CONTOSO.COM and the subject of the SSL certificate on a Federation Server in the farm is ADFS.CONTOSO.COM. This SSL certificate does not make use of wildcard or SAN.
Example of a working scenario
The Federation Service Name is SSO.CONTOSO.COM and the subject of the SSL certificate on all Federation Servers and Federation Server Proxies is SSO.CONTOSO.COM.
Example 2 of a working scenario
The Federation Service Name is SSO.CONTOSO.COM and the subject of the SSL certificate on all Federation Servers and Federation Server Proxies is *.CONTOSO.COM. This shows the supported use of a wildcard subject.
Example 3 of a working scenario
The Federation Service Name is SSO.CONTOSO.COM and the subject of the SSL certificate on all Federation Servers and Federation Server Proxies is ADFS.CONTOSO.COM. This SSL certificate also has a SAN of DNS name = SSO.CONTOSO.COM. This shows the supported use of a SAN.
Here is the second reason why A is wrong
Items for Consideration
1. The Federation Service Name must never equal any machine name in the Active Directory forest when you are deploying a AD FS 2.0 farm. This requirement is in place to allow Kerberos authentication to succeed for your Federation Service.
Example of a failing scenario
The Federation Service Name is ADFS.CONTOSO.COM and the host names of the two Federation Servers in your farm are: ADFS.CONTOSO.COM and ADFS2.CONTOSO.COM. Kerberos authentication will fail because your AD FS 2.0 service account needs to have the following servicePrincipalName (SPN) registered: HOST/ADFS.CONTOSO.COM. Since you already have a computer in Active Directory named ADFS.CONTOSO.COM, the HOST/ADFS.CONTOSO.COM SPN is already registered to this computer account, which means that registering this SPN to your AD FS 2.0 service account is not an option.
Great correction, Bigfly! thanks.
the correct answer is A
https://technet.microsoft.com/en-us/library/dn528859.aspx
Install-WebApplicationProxy –CertificateThumprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’ -FederationServiceName fs.fabrikam.com
The correct answer is A.
https://technet.microsoft.com/en-us/library/dn528859.aspx
On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.
On the Federation Server dialog, do the following, and then click Next:
In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.fabrikam.com.
Answer is B:
https://technet.microsoft.com/en-us/library/dd807054.aspx
“It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box.”
So we’re agreed it’s answer A or B then ! 🙂
I hope this question is no longer in the exam but reading through this I’d go with B.
It’s apparently still on the exam I was told by a friend who just passed it.
The queation here is “which value” that must be included.
The “Value” in the Federation Service that need to be entered is the FQDN Value so i Guess that A must be the correct answear.
B
Checklist: Setting Up a Federation Server Proxy
(https://technet.microsoft.com/en-us/library/dd807100.aspx)
Certificate Requirements for Federation Server Proxies
“It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box.”
https://technet.microsoft.com/en-us/library/dd807054.aspx
arch!!
The certificate is for the federation proxy (server2) in the perimeter network.
For what perpose? Why do you want that certificate? Well?
Answer A.
you want to be sure your talking to server2, and not aserver of Ihackedyourdomain.com
http://scug.be/sccm/2013/07/08/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved-part-2/
http://pipe2text.com/?page_id=399
When watching some of these step-by-step and also the how the last link explains it, in the comment field too (even if it is the AD FS 2.0 in this one).
Everything points to B, being the correct answer.
Folks,
the answer is B please refer to the following links:
1. https://technet.microsoft.com/en-us/library/dd807054.aspx
2.https://technet.microsoft.com/en-us/library/dn151311.aspx#BKMK_2
correct 🙂 Thanks
https://technet.microsoft.com/en-us/library/dn151311.aspx
B
It is B (name of federation service). please check at https://technet.microsoft.com/en-gb/library/dn151311.aspx#BKMK_2
M$ and their stupid fing questions.
A it is… lol
every other site says A. gotta go with majority on this one ^_^
Well, it’s also specified in the answer, in # 3 (type “fs” if fqdn is fs.fabrikam.com)
So, answer is B
I also tend to agree with B as the answer since the way I read this question, the question is asking about what to include in the certificate, while A would have been the answer if the question was about configuring the federation server proxy itself.
It’s A.
Why? > Perimeter network
If it is located on the internal network, B would be correct, but here you’ll need an FQDN
Use wildcard certificates, and you forget about all this confusion! 😀
I go for answer B, https://technet.microsoft.com/en-us/library/dd807054.aspx . That is the requirement for an AD FS proxy server
Checked out my company setup to see how this was done. We have the exact setup described in the question: an ADFS proxy in the DMZ pointed to our internal ADFS server. The cert on our proxy server was issued by GoDaddy with the name of our Federation Service. Seems to me like the answer is B.
Also, why does the explanation for this question have a description of how to add a DNS record? What does that have to do with the question?
This DNS record is very important. See:
https://technet.microsoft.com/en-us/library/dd807055.aspx
If i want to know what name of the federation service to fill in, I look at de FQDN.
So I stay with A.
check also:
http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
(Basic Configuration of the AD FS 2.0 Proxy:)
http://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx http://technet.microsoft.com/en- us/library/ cc782620(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc759635(v=ws.10).aspx
I suspected that the correct answer was B, and so i confirmed with my teacher from the official Microsoft Course, and he confirmed that the correct answer is indeed B. He also referred that the name of the federation service is a FQDN, so that’s maybe what causes the confusion.
You can also check this link: https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx
“Federation server certificates
AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. The same certificate should be used on each federation server in a farm. You must have both the certificate and its private key available. For example, if you have the certificate and its private key in a .pfx file, you will be able import the file directly into the Active Directory Federation Services Configuration Wizard. This SSL certificate must contain the following:
1. Subject name and subject alternative name must contain your federation service name, such as fs.contoso.com
2. Subject alternative name must contain the value enterpriseregistration followed by the UPN suffix of your organization, such as, for example, enterpriseregistration.corp.contoso.com
”
And Also:
“Proxy computer certificates
This is same server authentication certificate as the one used by the federation servers in the corporate network. This certificate must have the same subject name as the SSL certificate configured on the federation server in the corporate network. “
what section would this be under?
if you list the section I can tell you the answer to the question
This is a standard SSL certificate that is used for securing communications between a federation server, federation server proxy or Web Application Proxy, and Internet client computers.
This is same server authentication certificate as the one used by the federation servers in the corporate network. This certificate must have the same subject name as the SSL certificate configured on the federation server in the corporate network.
If you are using AD FS in Windows Server 2008 or Windows Server 2012, you must install this certificate on the Default Web Site of the federation server proxy computer.
If you are using AD FS in Windows Server 2012 R2, you must import this certificate to the Personal Certificates store on the computer that will function as your Web Application Proxy.
Recommendation: Use the same server authentication certificate as is configured on the federation server that this federation server proxy or Web Application Proxy will connect to.
Can’t understand what all the fuss is about. There’s at least two different technet pages clearly stating that you need to specify the name of the federation services.
That settles it for me.
https://technet.microsoft.com/en-us/library/dn528859.aspx
“The certificate you choose here should be the one whose subject is the *Federation Service name*, for example, fs.fabrikam.com.”
https://technet.microsoft.com/en-us/library/dd807054(v=ws.11).aspx
“It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in.”
What more do you need?
Answer is B.
I go with B also;
https://technet.microsoft.com/en-us/library/dn781428(v=ws.11).aspx
Obtain and Configure an SSL Certificate for AD FS
Your federation service name, such as fs.contoso.com (or an appropriate wildcard entry such as *.contoso.com)
If you are using AD FS with Device Registration Service (DRS), add an additional SAN of type DNS for each UPN suffix in use in your environment, for example enterpriseregistration.contoso.com.
—————————-
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/certificate-requirements-for-federation-server-proxies
Certificate Requirements for Federation Server Proxies
When you have a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. For more information, see When to Create a Federation Server Proxy Farm.
It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in.
To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box.