HOTSPOT
Yournetwork contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory
Federation Services server role installed.
You need to make configuration changes to the Windows Token-based Agent role service.
Which tool should you use?
To answer, select the appropriate tool in the answer area.
Answer: 
Explanation:
<map><m x1=”27″ x2=”294″ y1=”270″ y2=”284″ ss=”0″ a=”0″ /></map>To configure the Windows token-based agent
1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager.
Etc. Configure the Windows Token-Based Agent
https://technet.microsoft.com/en-us/library/cc771128%28v=ws.10%29.aspx
I think I’ve seen it in the explanation of other questions, that the token-based auth works via a web server, therefore IIS. No idea for the life of me, where exactly I’ve seen it though…
0
0
KERBEROS CONSTRAINED DELEGATION?
https://technet.microsoft.com/en-us/library/cc995228.aspx
1. Idiot on internet comes in to your Web Application Proxy with certificate
2. Web Application Proxy forwards valid information to ADFS server
3. ADFS verifies user from Cert then impersonates with constrained delegation to obtain TGT and then request Kerberos service ticket for Web Server host computer
4. ADFS presents Kerberos service ticket to IIS Web server
5. Idiot on internet can now access Web server through constrained delegation of their TGT and service ticket for the Web Server computer.
So Windows Token-Based Agent lives on IIS with the web application that uses Windows Integrated authentication, the service just converts the AD FS token to a impersonated service token for the user to access web application. I think theres a utility that you run on the web server to enable SAML etc for the web app which uses this service?
I hope that flows, just go read the article above and learn yourself.
0
0