Prev Question
Next Question

You deploy an Active Directory Federation Services (AD FS) infrastructure. The infrastructure uses Active Directory as the attribute store. All servers run Windows
Server 2012 R2.
Some users report that they fail to authenticate to the AD FS infrastructure.
You discover that only users who run third-party web browsers experience issues.
You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully.
Which Windows PowerShell command should you run?

A. Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00

B. Set-ADFSProperties -AddProxyAuthenticationRulesNone

C. Set-ADFSProperties -SSOLifetime 1:00:00

D. Set-ADFSProperties -ExtendedProtectionTokenCheck None

Explanation:
Certain client browser software, such as Firefox, Chrome, and Safari, do not support the Extended Protection for Authentication capabilities that can be used across
the Windows platform to protect against man-in-the-middle attacks. To prevent this type of attack from occurring over secure AD FS communications, AD FS 2.0
enforces (by default) that all communications use a channel binding token (CBT) to mitigate against this threat.
Note: Disable the extended Protection for authentication
To disable the Extended Protection for Authentication feature in AD FS 2.0
On a federation server, login using the Administrator account, open the Windows PowerShell command prompt, and then type the following command:
Set-ADFSProperties ­ExtendedProtectionTokenCheck None
Repeat this step on each federation server in the farm.
References: Configuring Advanced Options for AD FS 2.0

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *