Which certificate or certificates should you identify?

Your network contains an Active Directory domain named contoso.com.
Your company has an enterprise root certification authority (CA) named CA1.
You plan to deploy Active Directory Federation Services (AD FS) to a server named Server1.
The company purchases a Microsoft Office 365 subscription.
You plan to register the company’s SMTP domain for Office 365 and to configure single
sign-on for all users.
You need to identify which certificate or certificates are required for the planned deployment.
Which certificate or certificates should you identify? {Each correct answer presents a
complete solution. Choose all that apply.)

A.
a server authentication certificate that is issued by a trusted third-party root CA and that
contains the subject name serverl.contoso.com

B.
a server authentication certificate that is issued by CA1 and that contains the subject
name Server1

C.
a server authentication certificate that is issued by a trusted third-party root CA and that
contains the subject name Server1

D.
a server authentication certificate that is issued by CA1 and that contains the subject
name serverl.contoso.com

E.
self-signed server authentication certificates for server1.contoso.com

Show Hint

← Previous question

Next question →

Leave a Reply 8

fdmo

in exam theres only one opt

MrC

And the right answer is?

Yenrab

If you only get one, choose “A” – or flip a coin. Oh wait, you can’t even take one of those into the testing room. How am I ever suppose to pass now?

Ted

http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx
Certificates
Since ADFS leverages SSL, we need to have a SSL certificate. You could try three options, but only one will work:

Self-signed certificate
Certificate issued from internal PKI
Certificate from 3rd party public CA
Office 365 needs to see a valid Service Communication Certificate on your ADFS infrastructure, so you are going to have to buy a certificate from a public CA. Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears. We can use self-signed certificates for the Token Decrypting and Token Signing Certificate. These are separate from the service communication cert.

DeeJ

Many will get confused about why this answer meets the requirements but read here and see why.
https://technet.microsoft.com/en-us/library/dn151311.aspx

The Trusted Third Party CA is a requirement for the Cert used to communicate with Microsoft Office 365.
The sneaky part of the question:

the self-signed cert is needed for the Token Signing and it subversively and deceptively accurate.

Token-signing certificate
This is a standard X.509 certificate that is used for securely signing all tokens that the federation server issues and that the cloud service will accept and validate.

The token-signing certificate must contain a private key, and it “should” chain to a trusted root in the Federation Service.

By default, AD FS creates a self-signed certificate. However, depending on the needs of your organization, you can change this later to a CA-issued certificate by using the AD FS Management snap-in.

Recommendation: Use the self-signed token-signing certificate generated by AD FS.
By doing so, AD FS will manage this certificate for you by default.
For example, in case this certificate is expiring, AD FS will generate a new self-signed certificate to use ahead of time.

https://technet.microsoft.com/en-us/library/dn151311.aspx

cthulured

A bit late to the party, but I believe the above assertion that “E” is also a valid answer is wrong- the self-signed certificate used be AD FS is not a “server authentication” certificate, it’s a token-signing cert. Answer “E” explicitly states a server authentication certificate.

puck

Forget ALL these other links. Look here, its clear as day:

https://support.office.com/en-sg/article/Plan-for-third-party-SSL-certificates-for-Office-365-b48cdf63-07e0-4cda-8c12-4871590f59ce

The only answer is A.

Not B or C or D – A is required for AD FS… the rest are not required as they are either privately issued, or have a short/private UPN.

Not E – E refers to server authentication certificates, the requirements asks for a token-signing certificate. Token signing certificates are generated automatically and Microsoft recommends that we use the default certificate as it has the benefit of updating itself when it expires etc.

As fdmo said, in the exam there is actually only one choice. If there are two choices in the exam, then I imagine E would refer to a token-signing certificate which you may then select.

JamesL

Answer A seems correct

This Step by Step link will prove it
The answer is in the 15 min video (around the 1 minute mark)
The video is short, clear and concise in the steps required for O365 and AD FS integration for SSO and is the best info I have found on the Web related to this
(Thank you Kelsey – CANITPRO always a good place for IT info)

http://blogs.technet.com/b/canitpro/archive/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365.aspx