DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain
contains two servers named Server1 and Server3. The network contains a standalone
server named Server2.
All servers run Windows Server 2012 R2. The servers are configured as shown in the
following table.
Server3 hosts an application named App1. App1 is accessible internally by using the URL
https://app1.contoso.com. App1 only supports Integrated Windows authentication.
You need to ensure that all users from the Internet are pre-authenticated before they can
access Appl.
What should you do?
To answer, drag the appropriate servers to the correct actions. Each server may be used
once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
I know we need to install a ssl certificate on the web server. The last one should be server3.
On the other hand because we want all the users pre-authenticated before they hit the web server we can install the certificate on server2. So the last one could be Server2.
https://technet.microsoft.com/en-us/library/dn383640.aspx
Pertinent information from bobsmith’s link:
This procedure describes how to publish an application that uses Integrated Windows authentication, such as Outlook Web App, that will be accessed by web browser clients. Before you begin, make sure that you have done the following:
Created a non-claims-aware relying party trust for the application in the AD FS Management console.
Configured the backend server to support Kerberos constrained delegation on the domain controller or by using the Set-ADUser cmdlet with the -PrincipalsAllowedToDelegateToAccount parameter. Note that if the backend server is running on Windows Server 2012 R2 or Windows Server 2012, you can also run this PowerShell command on the backend server.
Made sure that the Web Application Proxy servers are configured for delegation to the service principal names of the backend servers.
Verified that a certificate on the Web Application Proxy server is suitable for the application you want to publish.
First of all, the WAP must be joined to Active Directory before an application that only supports Integrated Windows authentication can be published. Server2 is in a workgroup. The relying party trust must be created on the ADFS server. A constrained delegation is based on a attribute on Server2’s computer account, which can be set from command line: setspn -s HTTP/app1.contoso.com server2
On the WAP, you specify a certificate whose subject covers the external address, which is not mentioned in the synopsis.
On the IIS, you specify a certificate whose subject covers the internal address: https://app1.contoso.com.
Now, you go and figure out whether the question is flawed or not!
Yup, sometimes i wonder if questions like this have been withdrawn from the exam already since they are clearly flawed.
Seems correct, although the WAP would need to be part of the domain to be able to enable constrained delegation on it.
The WAP needs a certificate pointing to the app.
Relying party trust is configured through the ADFS console.
Publish application to the WAP, it is already published in IIS so you now need to publish it to the WAP so that it can check user credentials.
https://technet.microsoft.com/en-us/library/dn383640.aspx
“To publish an application that uses Integrated Windows authentication you must add a non-claims-aware relying party trust for the application to the Federation Service.”
“To allow Web Application Proxy to perform single sign-on (SSO) and to perform credentials delegation using Kerberos constrained delegation, the Web Application Proxy server must be joined to a domain.”
The Web Application Proxy would need to be in the Domain, which is not stated in the question, but…
According to this provided answer is correct.
For more details see
Walkthrough Guide: Connect to Applications and Services from Anywhere with Web Application Proxy
https://technet.microsoft.com/en-us/library/dn280943.aspx
All steps – except the relying party trust – are performed on the web application proxy server.
Box 1: Server1
For all types of application that you can publish using AD FS preauthentication, you must add a AD FS relying party trust to the Federation Service. Use Server1 as it has AD FS.
Box 2: Server2
When publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users to the published application.
Box 3: Server2
To publish a claims-based application
1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.
2. On the Publish New Application Wizard, on the Welcome page, click Next.
Etc.
Box 4: Server2
Configure CAs and certificates