ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-742 All Questions

View all questions & answers for the 70-742 exam
Go to Exam

Exam 70-742 topic 1 question 219 discussion

Actual exam question from Microsoft's 70-742
Question #: 219
Topic #: 1
[All 70-742 Questions]

You have users that access web applications by using HTTPS. The web applications are located on the servers in your perimeter network. The servers use certificates obtained from an enterprise root certification authority (CA). The certificates are generated by using a custom template named WebApps. The certificate revocation list (CRL) is published to Active Directory.
When users attempt to access the web applications from the Internet, the users report that they receive a revocation warning message in their web browser. The users do not receive the message when they access the web applications from the intranet.
You need to ensure that the warning message is not generated when the users attempt to access the web applications from the Internet.
What should you do?

  • A. Install the Certificate Enrollment Web Service role service on a server in the perimeter network.
  • B. Modify the WebApps certificate template, and then issue the certificates used by the web application servers.
  • C. Install the Web Application Proxy role service on a server in the perimeter network. Create a publishing point for the CA.
  • D. Modify the CRL distribution point, and then reissue the certificates used by the web application servers.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by ArchBishop at Aug. 2, 2019, 12:59 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
paprda
Highly Voted 5 years, 10 months ago
Users get a revocation warning while on the Internet, but not on the Intranet. So where is the revocation information? According to the question, it’s published to Active Directory. That explains why they can’t get there from the Internet, the company’s AD is not exposed to the Internet. o we need to publish the revocation list to another location, one that the Internet-based clients CAN get to. A public-facing webserver for example. We do this by adding that new location as a Certificate Revocation List (CRL) distribution point. Since the location(s) is/are stored in the certificate, we’ll need to re-issue. So, as far as I’m concerned, the answer is D
upvoted 10 times
lbs
5 years ago
Gd point!. Thank you for the explanation.
upvoted 1 times
...
Chochi
4 years, 5 months ago
Good explanation!!!
upvoted 1 times
...
...
ArchBishop
Highly Voted 5 years, 11 months ago
The CRL is being distributed to AD. And because, generally, AD is not exposed to the Internet, users cannot access the CRL. The only way to solve this is to move the Distribution Point to a location that is in a DMZ that is accessible from the Internet; a Web Server, for example.
upvoted 10 times
...
Kamikazekiller
Most Recent 4 years, 11 months ago
Answer is: D. Modify the CRL distribution point, and then reissue the certificates used by the web application servers.
upvoted 3 times
...
panda
5 years, 6 months ago
I agree with coleman and think D is correct. In using LDAP it isn't possible to publish CRL to the Internet. So, you need move CDP and AIA to a different server, a web server.
upvoted 2 times
...
coleman
5 years, 6 months ago
the answer D is correct.
upvoted 2 times
coleman
5 years, 6 months ago
According to "The users do not receive the message when they access the web applications from the intranet." , the CRL distribution point is only accessible from Internal networks, a publicly accessible CRL distribution point is missing from the SSL certificate, therefore B is correct approach to solve the problem by adding a publicly accessible CRL Distribution Point (CDP) to the template and reissue the SSL Certificate to web server. Answer B is incorrect, it did not mention which aspect of the template to be modified. Answer C is incorrect, since a certificate template CDP on internal networks uses LDAP protocol or SMB protocol by default, deploying a HTTP/HTTPS based web application proxy would not help. Answer A is totally irrelevant.
upvoted 10 times
...
...
Gary
5 years, 7 months ago
Problem You may encounter the following error message: "Revocation information for the security certificate for this site is not available" Cause This problem may occur if the client browser is not able to access the Certificate Revocation List (CRL) Distribution Point (CDP) of the certificate used to secure the Web site. Resolution Run the following commands: 1. Locate the Certificate Revocation List (CRL) Distribution Point (CDP) of the certificate. 2. Open Microsoft Internet Explorer. 3. From the Tools menu, click Internet Options. 4. Click the Content tab. 5. Click Certificates. 6. Select the certificate and click View. 7. Click the Details tab. 8. Click CRL Distribution Point to view the URL of the Certificate Revocation List (CRL). 9. Edit your firewall settings to allow access to the CRL.
upvoted 2 times
...
Gary
5 years, 7 months ago
Hi guys, I think this answer is right. Check below:
upvoted 1 times
...
panda
5 years, 8 months ago
I think C is correct. Since there is the perimeter network and the CA is located in the intranet, in the perimeter network any server is needed as the CA, such as Web proxy server. On this precondition Web proxy server can be located in the perimeter network as the CA. In D though Modify the CRL distribution point, the CA is located in the intranet which can't be accessed from the Internet.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel