Single Sign On (SSO)
What does Single Sign-on do?
allows users to authenticate once and access multiple resources without being prompted for more credentials
What are the two primary logs that you can use to troubleshoot?
The Admin Log and the Tracelog
Where do I locate information on troubleshooting certificates and basic requirements?
Access the documentation
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-certs
How many methods do you need to enable MFA
At least one extra method. By default, in Active Directory Federation Services (AD FS) in Windows Server, you can select Certificate Authentication (in other words, smart card-based authentication) as an extra authentication method.
What is enabled by default on an authenticated device?
Persistent SSO, it it's disabled no PSSO cookie is created
Where do you find the Admin and Tracelogs?
Open Event Viewer and Expand Applications and Services Log
What is the most important validation mechanism of the Token-signing certificate
The private/public key pairing
What is the main benefit of AD FS?
It allows users to ability to access AD-integrated applications while working remotely using their standard organizational AD credentials via a web interface
What single sign-on experiences does AD FS support?
What is security auditing?
Track issues with password updates, request/response logging, request content headers and device registration results
What are the required certificates in order for AD FS to function properly? (Select all answers that apply)
Federation trust, Token signing, Secure Sockets Layer (SSL) and Certificate revocation list (CRL)
Can you use third-party authentication methods in conjunction with MFA with AD FS?
Yes, some examples include Okta, Mideye, Green Rocket security and more
What happens after a user on a registered device provides credentials for the first time?
by default users with registered devices get single sign-on for a maximum period of 90 days, provided they use the device to access AD FS resources at least once every 14 days. After 15 days, users will be prompted for credentials again.
What is the purpose of Correlating Events?
It helps to correlate all events that are recorded to the Event Viewer, in both the admin and the debug logs
What does Event 385 mean?
AD FS detected that one or more certificates in the AD FS configuration database needs to be updated manually
When you are preparing your federation server do you need a dedicated device?
Yes, AD FS needs to installed on the computer you want to use as the federation server
What happens if the device isn't registered but a user selects "Keep me signed in" option?
the expiration time of the refresh token will equal the persistent SSO cookie's lifetime for "Keep me signed in". The persistent SSO cookie lifetime is one day by default with maximum of seven days. Otherwise, refresh token lifetime equals session SSO cookie lifetime (8 hours by default).
Where can you find Windows Identity Foundation (WIF) and Windows Communication Foundation (WCF) messages in order to troubleshoot an issue?
This file is located in <%system root%>\Windows\ADFS and is in XML format.
What are the required certificates in order for AD FS to function properly?
Make sure that the certificate is trusted.
Make sure that SSL certificates are trusted by the clients.
Token-signing certificates need to be trusted by the relying parties.
Check the trust chain. Every certificate in the chain needs to be valid.
Verify the certificate's expiration date.
Check CRL accessibility.
Make sure the field for CRL distribution point (CDP) is populated.
Manually browse to the CDP.
Make sure the certificate wasn't revoked.
BONUS: What's the difference between AD FS and SSO?
AD FS exists on-prem and while most SSO exist almost exclusively online