Term
| What are some or the ports used by ADDS that are required to be open |
|
Definition
|
|
Term
| What are some of the ports that FS uses what ports |
|
Definition
|
|
Term
| List a few answers as to what FS is |
|
Definition
| Enterprise claims provider, federation for identity across domains, secures collaboration across domains,save the need for multiple credentials, provides SSO |
|
|
Term
|
Definition
| Statements made about objects such as Users and Groups |
|
|
Term
|
Definition
| Define how claims are processed(if x then y). Example: the claim is that a user is apart of the Development Group then the user can access Y amount of the resource |
|
|
Term
| What is an Attribute Store |
|
Definition
| Used by FS to look up claim values(commonly ADDS) |
|
|
Term
| What is a Claims Provider |
|
Definition
| Authenicates user and sends them through the authorization process with the relying party |
|
|
Term
| What are the relying parties |
|
Definition
| A relying party is a Web service that consumes claims for the claims provider |
|
|
Term
| What must relying parties have installed to be able to consume claims |
|
Definition
| Windows Identity Foundation or FS 1.0's claims-aware agent |
|
|
Term
| Why does FS use certificates |
|
Definition
| AD FS uses certificates as part of the token issuing/receiving process |
|
|
Term
|
Definition
| mechanisms that enable access to AD FS |
|
|
Term
| What are the 6 endpoints built-in to AD FS 2.0 |
|
Definition
| WS-Trust1.3,WS-Trust 2005,WS-Federation Passive/ SAML SSO, Federation Metadata, SAML Artifact, WS-Trust WSDL |
|
|
Term
|
Definition
| ADFS 2.0 no longer supports the Federated Web SSO with forest trust design like in AD FS 1.x |
|
|
Term
| What network serivces are required for AD FS |
|
Definition
| TCP/IP network, ADDS,DNS,Certificates |
|
|
Term
| What technologies are part of the TCP/IP network connectivity |
|
Definition
| client computer,a domain controllerm Federated Server, Federated Proxy server(optional),AD FS 2.0 Web Agent |
|
|
Term
| What is the minimum required OS versions for a domain controller for FS |
|
Definition
|
|
Term
| Define Web SSO Architecture |
|
Definition
| When a single company implents FS to provide internal users access to a federated service using existing ADDS accounts |
|
|
Term
|
Definition
| Allowing two companies to share a resource via a federation where one company has the accounts that need access while the other company provides the resource |
|
|
Term
| From a security stand point where should you place a federation server |
|
Definition
|
|
Term
| From a security standpoint how should you treat a federated services server |
|
Definition
| treat a Federation Services server just like you treat a domain controller. In other words you should take extra steps in securing a FS server |
|
|
Term
| What are the three basic certificates required by FS 2.0 |
|
Definition
| Token-signing certificate,Service Communucation Certificate,Token-Decryption Certificate |
|
|
Term
| Define the Token-Signing Certificate used by AD FS2.0 |
|
Definition
| This is a self-signed certificate that is created during the install. This cerificate is used to sign the tokens created by that FS server |
|
|
Term
| Define the Service Communication certificate used by FS2.0 |
|
Definition
| this is the server authentication that is used to secure Web services(same certificate bound in IIS) |
|
|
Term
| Define the Token-decryption certificate |
|
Definition
| Is used by the resource federation server to decrypt tokens recieved from the account partner(is a self-signed certificate created during installation and can be changed later) |
|
|
Term
| What are the DNS entries that should be created to provide name resolution |
|
Definition
| the DNS server should have an A record for the federation server or if there is a load-balancing federation cluster you will need a A record with the IP of the cluster |
|
|
Term
| What is the purpose of the account partners FS server |
|
Definition
| to authenticate users and issue tokens to be revice by the resource partner |
|
|
Term
| What is the purpose of the resource partners FS server |
|
Definition
| to read claims and assign tokens to local resources while the client is connected |
|
|
Term
| Name the primary reason to deploy a federation server proxy |
|
Definition
| When you do not want external clients accessing your federation server directly |
|
|
Term
|
Definition
| The federated server proxies does not have access to the keys that create tokens |
|
|
Term
| What is the purpose of the federation services server proxy on the account partner side |
|
Definition
| To collect user credentials from client browser and passing them on to the internal federation server. |
|
|
Term
| What is the purpose of the federation server proxy on the resource partner |
|
Definition
| To relay security tokens that come from the account partner when users in the account partner try to access Federation Services in the resource parnter |
|
|
Term
| What type of certificate is required for the federated services cluster |
|
Definition
| The proxy needs a Server Authentication Certificate to interact with Web Clients |
|
|
Term
| If you want an FS 2.0 machine to consume claims from FS 1.x what do you need to do |
|
Definition
| Manually create a Claims Provider Trust,Rule must be created to send a FS 1.x compatible claim |
|
|
Term
| If you want FS 2.0 to send claims to a FS 1.x federation server |
|
Definition
| Manually create a relying party trust,Create a rule to send the FS 1.x compatible claim, The FS 1.x admin sets up a new account partner trust |
|
|
Term
| If you want to send claims to a FS 1.x claims aware Web Agent |
|
Definition
| Manually create a relying party trust, FS 1.x admin edits the web.config file to point to the FS 2.0 federation service web agent, Create a rule to sen a FS 1.x compatible claim |
|
|
Term
| What are the three supported types of attribute(account) stores for FS |
|
Definition
| ADDS(Windows 2003 SP1 and up), SQL 2005/2007, Custom Attribute stores |
|
|
Term
| What must a Web Server have install to externalize the identity logic and accept claims |
|
Definition
| Windows Identity Foundation or a FS 1.x Claims-Aware Web Agent role service installed |
|
|
Term
| What is the first place to start looking to troubleshoot FS 2.0 |
|
Definition
|
|
Term
| Where does the dedicated log for FS 2.0 reside |
|
Definition
| Windows Event Viewer>Application and Services Log>Admin |
|
|
Term
| How do you enable the debug tracing log file for FS 2.0 |
|
Definition
| Navigate to Event Viewer> click the View menu adn enable "Show Analytic and Debug Logs",Expand the FS 2.0 Tracing Folder and select "Enable Logging",Restart the FS 2.0 service |
|
|
Term
| What are the four key areas that you can use to troubleshoot FS 2.0 |
|
Definition
| Event Logging,Debug Trace Logging,Auditing,Performance Monitoring |
|
|
Term
| How do you enable auditing on FS 2.0 |
|
Definition
| Modify the local security policy or use a GPO to give the FS 2.0 service account has "Generate security events" right, run auditpol.exe /set /subcategory:"Application" /failure:enable /success:enable from elevated command prompt, Edit the Federation Service Properties in the MMC go to the events tab and check "Success audit" and "Failure Audits" |
|
|
Term
| How can you list all FS 2.0 related cmdlets in Powershell |
|
Definition
|
|
Term
| How can you verify that the FS 2.0 Powershell cmdlets are installed |
|
Definition
| Get-PSSnapin –Registered |
|
|
Term
| How do you set the level of logging in Windows Powershell |
|
Definition
| Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information |
|
|
Term
| How can you enable trace logging via the command prompt for FS 2.0 |
|
Definition
| wevtutil sl "AD FS 2.0 Tracing/Debug" /l:5 |
|
|
Term
| What are some common issues related to the FS 2.0 service not starting |
|
Definition
| SSL certificate not loading(unable to load/cannot find),SQL database not reachable by the FS 2.0 Service account(via network failure,unable to login) |
|
|
Term
| What is the name of the default Web form used by a federation server proxy |
|
Definition
|
|
Term
| What are the steps to configuring an AD FS 2.0 Account Partner |
|
Definition
| 1- Design and determine where you will place the FS 2.0 Federation Server,Add an Attribute Store,Create a claims rules for the relying party trust,Add a claim description,prepare the client for federation |
|
|
Term
| What are the steps to configuring an AD FS 2.0 Federation Server in the resource partner |
|
Definition
| Design and implement where you will place the FS 2.0 Federation Server, Add an Attribute Store, connect to a account partner, Create claim rule sets for the claims provider |
|
|
Term
| What are the methods to connect the account partner to the resource parnter |
|
Definition
| You can manually enter the data, use a URL provided by the resource partner(remember that this is the recommended method), Import the data from and exported file from the resource partner |
|
|
Term
| How do you prepare the client for federation |
|
Definition
| Add the account partner federation server to the trusted sites of the client browser, Install the SSL certificates of the Account partner/Resource Partner/destination Web server |
|
|
Term
| Where are the claims rules for the claims provider trust created |
|
Definition
|
|
Term
| Where are the claims rules for the relying party trust created |
|
Definition
| In the account partner organization |
|
|
Term
| What are some steps you can take when it comes to users who cannot authenticate |
|
Definition
| Have the user sign in, have the user sign in to other applications, ensure that the account is not locked out |
|
|
Term
| If a user can sign in but there is an authorization failure what can you do to troubleshoot the problem |
|
Definition
| Check user permissions to the application, check the user permission for the specific portion of the application, check logs |
|
|
Term
| What are some troubleshoot steps you can take to solve a trust management issues |
|
Definition
| Check to see if the SQL database is reachable by pinging and telneting into port 1433, Check to see if te service account has write permission to the SQL database, see if the SQL service was restarted in the middle of a write operation |
|
|
