Your network contains a perimeter network and an internal network. The internal network contains
an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active
Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network.
You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?

A.
The name of the Federation Service
B.
The name of the Active Directory domain
C.
The FQDN of the AD FS server
D.
The public IP address of Server2
Explanation:
A)
It must contain the FQDN
http://technet.microsoft.com/en-us/library/cc776786(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc782620(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc759635(v=ws.10).aspx
The answer should be A
https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx
The explanation talks about DNS records. The question is about certificates.
0
0
@Rob: they want to know the value of the certificate of the proxy an not the certificate for the AD FS. This mean for me the right answer is: C
0
0
https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx
AD FS requires a certificate for SSL server authentication on each federation server in your federation server farm. The same certificate should be used on each federation server in a farm.
Subject name and subject alternative name must contain your federation service name, such as fs.contoso.com -I think the keyword here is “service”, even if the server has the same name.
Recommendation: Use the same server authentication certificate as is configured on the federation server that this federation server proxy or Web Application Proxy will connect to.
0
0
I would say that correct answer is A.
According to the information at https://technet.microsoft.com/en-us/library/dd807054.aspx :
It is important to verify that the subject name in the server authentication certificate matches the Federation Service name
value that is specified in the AD FS Management snap-in. To locate this value, open the snap-in, right-click Service,
click Edit Federation Service Properties, and then find the value in Federation Service name text box.
https://technet.microsoft.com/en-us/library/gg557751(v=ws.10).aspx :
Federation Service name = Indicates the name of the Federation Service as determined from the selected certificate. This
field will have more than one name in it if the selected certificate has more than one possible names or if the selected
certificate is a wild card certificate and you must type in a name. For example, if the certificate is issued to
*.contoso.com, you must provide a name (for example, sts1.contoso.com) to use here.
https://technet.microsoft.com/en-gb/library/dn151311.aspx#BKMK_2 :
Subject name and subject alternative name must contain your federation service name, such as fs.contoso.com
http://www.briandesmond.com/active-directory/install-the-first-active-directory-federation-services-farm-member/ :
Federation Service Name – You will need to choose a DNS name for the federation service. This name will be referenced
by clients and relying parties when accessing AD FS. Common hostnames for the federation service include ‘FS’, ‘STS’,
and ‘IDP’ (federation service, security token service, and identity provider, respectively).
In this example we will use the FS hostname with a fully qualified domain name of fs.cohovines.com.
0
0
I think correct answer is C, see this
http://www.aiotestking.com/microsoft/how-should-you-configure-the-certificate-request-5/
0
1
totally confused, how do we reach in a final answer
0
0
I would say A.
https://technet.microsoft.com/en-us/library/dd807054.aspx
It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box.
0
0
It is definitely A. Please correct. I’ve done it multiple times. It should be the name specified for AD FS to respond to. That’s the whole idea of AD FS Proxy in DMZ.
0
0