DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server3. The network contains a standalone server named Server2.
All servers run Windows Server 2012 R2. The servers are configured as shown in the following table.
Server3 hosts an application named App1. App1 is accessible internally by using the URL
https://app1.contoso.com. App1 only supports Integrated Windows authentication.
You need to ensure that all users from the Internet are pre-authenticated before they can access
App1.
What should you do?
To answer, drag the appropriate servers to the correct actions. Each server may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer: 
Explanation:
Box 1: Server1
For all types of application that you can publish using AD FS preauthentication, you must add a AD FS
relying party trust to the Federation Service.
Use Server1 as it has AD FS.
Box 2: Server2
When publishing applications that use Integrated Windows authentication, the Web Application
Proxy server uses Kerberos constrained delegation to authenticate users to the published
application.
Box 3: Server2
To publish a claims-based application
1. On the Web Application Proxy server, in the Remote Access Management console, in the
Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.
2. On the Publish New Application Wizard, on the Welcome page, click Next.
Etc.
Box 4: Server2Configure CAs and certificates (see c below)
Web Application Proxy servers require the following certificates in the certificate store on each Web
Application Proxy server:
a) A certificate whose subject covers the federation service name. If you want to use Workplace Join,
the certificate must also contain the following subject alternative names (SANs): <federation service
name>.<domain> and enterpriseregistration.<domain>.
b) A wildcard certificate, a subject alternative name (SAN) certificate, several SAN certificates, or
several certificates whose subjects cover each web application.
c) A copy of the certificate issued to external servers when using client certificate preauthentication.Install and Configure the Web Application Proxy Server; Planning to Publish Applications Using Web
Application Proxy; Publish Applications using AD FS Preauthentication
App1 only supports Integrated Windows authentication (not claims-based). So in the Explanation under Box 3 it should say:
To publish a non-claims-based application
1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.
2. On the Publish New Application Wizard, on the Welcome page, click Next.
etc.
https://technet.microsoft.com/en-us/library/dn765483.aspx
Just a detail, the answer remains the same.
0
0
Snowden says:
July 7, 2015 at 1:51 am
First of all, the WAP must be joined to Active Directory before an application that only supports Integrated Windows authentication can be published. Server2 is in a workgroup. The relying party trust must be created on the ADFS server. A constrained delegation is based on a attribute on Server2’s computer account, which can be set from command line: setspn -s HTTP/app1.contoso.com server2
On the WAP, you specify a certificate whose subject covers the external address, which is not mentioned in the synopsis.
On the IIS, you specify a certificate whose subject covers the internal address: https://app1.contoso.com.
0
0
Joe says:
July 16, 2015 at 2:50 pm
Seems correct, although the WAP would need to be part of the domain to be able to enable constrained delegation on it.
The WAP needs a certificate pointing to the app.
Relying party trust is configured through the ADFS console.
Publish application to the WAP, it is already published in IIS so you now need to publish it to the WAP so that it can check user credentials.
0
0