Tag Archives: 70-742

70-742 Additional Notes – AD Federation Services with Device Registration

Microsoft Windows Server, , , , ,

70-742

Overview

You can add the Device Registration Service (DRS) to your Active Directory Federation Service (AD FS) configuration. DRS provides seamless second factor authentication, persistent single sign on, and conditional access to devices attempting to access your corporate resources.

Prepare your Forest

To properly implement DRS, you first should prepare your forest. To do this you must meet the following requirements:

  • You must be an Enterprise Admin
  • The forest must be at the Windows Server 2012 R2 schema or higher
  • There must be at least one Global Catalog Server in the forest root domain

Step 1 – On the Federation Server run the PowerShell command:

Initialize-ADDeviceRegistration

Step 2 – When prompted for the ServiceAccountName – enter the service account you used for AD FS

Enable DRS on a Federation Server Farm Node

One each node in the farm, run the PowerShell command:

Enable-AdfsDeviceRegistration

Enable Seamless Second Factor Authentication

Use the AD FS Management Console and navigate to Authentication Policies. Select Edit Global Primary Authentication. Click Enable Device Authentication and click OK.

Update the Web Application Proxy Configuration

On the WAP server – run the PowerShell command:

Update-WebApplicationProxyDeviceRegistration

When prompted, input an account with administrative credentials.

70-742 Additional Notes – The Remote Access Server Role and WAP

Microsoft Windows Server, , , , ,

70-742

The important Remote Access server role incorporates the following technologies:

  • Remote Access Service (RAS)
  • Routing
  • Web Application Proxy (WAP) 

The Web Application Proxy is the most relevant role service above for the 70-742 exam and it explicitly makes the exam blueprint.

Remember the Web Application Proxy is to provide reverse proxy functionality for Web applications that exist inside your corporate network. What this means is that it permits outside users (on any device) to access these Web applications from outside your network.

WAP pre-authenticates access to your Web applications using Active Directory Federation Services (AD FS) and can also function as an AD FS proxy.

To install this powerful service, use the Add Roles wizard and target the RAS server role – or use PowerShell as follows:

Install-RemoteAccess -VpnType SstpProxy

Some features of WAP that are new in Server 2016 include:

  • Preauthentication for HTTP Basic application publishing – this allows mobile devices to use ActiveSync with Exchange
  • Wildcard domain publishing of applications  – this simplifies integration of services like SharePoint that have many applications in a domain to be published
  • HTTP to HTTPS Redirection
  • HTTP application publishing using pass-through preauthentication
  • Remote Desktop Gateway Apps
  • Better debug logging
  • Admin Console UI improvements
  • Propagation of client IP address to backend applications
Microsoft
PLEASE VISIT OUR SPONSOR!