Federating AD RMS

Applies To: Windows Server 2008, Windows Server 2008 R2

Increasingly, enterprises need to collaborate outside their enterprise boundaries and are looking at federation as a solution.

In AD RMS rights can be assigned to users who have federated trust through Active Directory Federation Services (AD FS). This enables an organization to share access to rights-protected content with another organization without having to establish a separate Active Directory trust or AD RMS infrastructure.

Active Directory Federation Services (AD FS) is a standards-based service that provides federation of identity by implementing claims-based authentication between forests. Claims-based authentication is the process of authenticating a user based on a set of claims about the user’s identity contained in a trusted token. This token is often issued and signed by an entity that is able to authenticate the user by other means and that is trusted by the entity performing the claims-based authentication.

In AD FS, identity federation is established between two organizations by establishing trust between two security realms. An AD FS server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token that contains a series of claims about the user. This includes the user’s identity. On the other side, the Resources side, an AD FS server validates the token and issues another token that permits the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user who belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.

In order to benefit from identity federation, a service has to be written to accept federated identities, and AD RMS is one such system. In particular, AD RMS is designed to accept requests for licenses from remote users through a single sign-on agent or Web SSO and to redirect them to the local federation server (which would be the server in the resource side of the federation, or AD FS-R). This server in turn asks the user to authenticate to its own side of the federation, the AD FS-A server in the user’s network) which requests authentication to Active Directory and issues the corresponding security token. The user then presents this token to the Web SSO, which validates the token and provides the identity to the AD RMS server. AD RMS is then able to issue the licenses requested by the user.

The whole process is illustrated in this diagram:

AD FS provides a very efficient and powerful way to deliver access to protected content to users in remote, independent organization, even organizations that have not deployed AD RMS servers. It also uses infrastructure that can be used for other federation purposes, such as providing access to extranet sites and to shared SharePoint-based sites.

AD RMS offers other solutions to enable the exchange of protected information between organizations, namely trusted user domains (TUDs) and trusted publishing domains (TPDs). TUDs and TPDs are used to integrate separate AD RMS infrastructures in independent forests, which allows for documents to be protected for users in the other forest. This also allows for protected documents that can be used with licenses issued by an AD RMS infrastructure different from the one that was used to protect the document. Therefore, they require the presence of an AD RMS infrastructure in each user environment, a limitation that the AD FS solution does not share. At the same time, AD FS integration for AD RMS has some limitations when you compare it to the other alternatives. One potentially significant limitation is that AD RMS with AD FS in its current implementation does not provide group expansion capabilities for remote groups. Because of this, remote users who belong to groups that have been assigned rights to a document will not be able to exercise those rights unless the rights have also been assigned to the users individually.

A second limitation is that AD FS integration depends on the capabilities of the client accessing the protected documents. Today, Windows Mobile clients are not able to authenticate through AD FS. These clients will not be able to consume AD RMS protected documents unless they are in the same forest as the AD RMS server that issued the publishing license or the organizations are using TUDs or TPDs to integrate the AD RMS infrastructures in each forest. In addition, the Rights Management Add-On (RMA) document viewer, typically used when the receiving user does not have IRM capable applications, does not support AD FS authentication.

Finally, if you use AD FS for AD RMS you will create some significant requirements on the infrastructure, such as access to the AD RMS servers from the Internet and specific configurations in the client. Client issues include the requirement for the remote federation servers’ URLs to be configured in the trusted zone in Internet Explorer and for the local federation servers’ URLs to be added to the intranet zone.

Despite these limitations, AD FS can provide major benefits, especially in those environments where the partner organizations cannot implement their own AD RMS servers, because it offers a solution that requires minimal trust between the organizations.

AD FS Certificates for Federation Servers

There are two types of certificates that are used for federation: SSL certificates and AD FS token-signing certificates.

An SSL certificate is used to encrypt the session between client and the server. These certificates are specific to IIS, not to AD FS. An SSL certificate must be trusted by the client computer that accesses the Web site. Becasue the client computer first visits the AD RMS site, and then the AD FS-Resource server, and finally the AD FS-Account server, the client must trust all three SSL certificates. For this reason, it may be most effective to obtain the SSL certificates from a third-party certification authority.

The subject name of the SSL certificate must match the names used in the AD FS configuration. For example, if you specify a federation server endpoint URL as https://adfs-account.treyresearch.net/adfs/ls/, the subject name on the SSL certificate for that server must be adfs-account.treyresearch.net. The same subject name rules also apply to the Web services accessed through AD FS. The name on the certificate should match the name that clients use to access the services.

Token-signing certificates should exist on each federation server. This certificate can be any X.509 certificate and the intended purpose or EKU is not important. When you install the AD FS role, the wizard prompts you to select a token-signing certificate or to allow the wizard to create a self-signed certificate. Self-signed certificates are acceptable for use in a lab but should not be used in production deployments.

If you select a token-signing certificate when you install the AD FS server role, you are presented a list of all certificates that are present in the local computer personal certificate store. Whichever option you select, the wizard places an export of the token-signing certificate in the list of verification certificates for the same computer. A verification certificate is just an export of the token-signing certificate. Each AD FS server must have a verification certificate for its own token-signing certificate. If you change the token-signing certificate later, the AD FS snap-in displays a message indicating that the new verification certificate was added to the list of verification certificates.

A token-signing certificate is used to sign the AD FS authentication token, the token that contains a user’s claim and is used to make authorization decisions at the Web site. The verification token is used to verify that the token was sent by the federated partner and that it has not been tampered with.

In a federated scenario, where there is an account partner and a resource partner, the account partner’s verification certificate must be present in the resource partner’s trust policy file. By default this certificate must be trusted, must be able to chain to the root, and must be able to access the certificate revocation lists.

Note

Using the SSL certificate for the token-signing certificate will succeed, but this should not be the configuration that you use in production because the two certificates perform separate functions.

Implementing a Sample Federated AD RMS Scenario

This section explains the integration steps of AD RMS and Active Directory Federation Services. If you complete this section, you will have a working federated AD RMS infrastructure that allows the exchange of rights protected documents with a partner organization.

The test environment used in this section includes eight computers:

Computer Name Operating System Applications and Services

cpandl-dc.cpandl.com

trey-dc.treyresearch.net

Windows Server 2003 with Service Pack 2

Active Directory Domain Services, Domain Name System (DNS)

adrms-srv.cpandl.com

Windows Server 2008

AD RMS, Internet Information Services (IIS) 7.0, and Message Queuing

adrms-db.cpandl.com

Windows Server 2003 with SP2

Microsoft SQL Server 2005 with Service Pack 2 (SP2)

adfs-resource.cpandl.com

adfs-account.treyresearch.net

Windows Server 2008 Enterprise

AD FS, Internet Information Services (IIS) 7.0

adrms-clnt.cpandl.com

adrms-clnt2.treyresearch.net

Windows Vista

Microsoft Office Word 2007 Enterprise Edition

There are several tasks that must be completed to create a federation trust for AD RMS:

  1. Installing and Configuring the AD FS Account Forest

  2. Installing and Configuring the AD FS Resource Forest

  3. Configuring the AD RMS Server to Work with AD FS

  4. Configuring AD RMS-Enabled Client Computers for Federation Support

Before you install AD FS and the AD RMS Identity Federation Support role service, set up the adfs-resource server in the cpandl.com domain and set up the adfs-account server in the treyresearch.net domain. You may also want to create user accounts in each domain for the AD FS administrator role and add them to the local Administrators groups on the AD FS servers.

The following mail-enabled user accounts must also be created for this sample implementation:

  • Nicole Holliday (nicole@cpandlo.com) in the cpandl.com domain

  • Terrence Philip (terrence@treyresearch.net) in the treyresearch.net domain

Finally, before proceeding validate that DNS name resolution is working correctly.

Installing and Configuring the AD FS Account Forest

In this demonstration, Trey Research installs and configures the Federation Service component of AD FS on the adfs-account computer. After the Federation Service is installed on a computer, that computer becomes a federation resource partner server.

Before performing this task, you must request two certificates from a certification authority and install them on the adfs-account test computer:

  • An SSL certificate with the common name set to “adfs-account.treyresearch.net”; after installing this certificate and adding the Web Server (IIS) server role, you must use IIS Manager to bind the certificate to the default Web site.

  • A token-signing certificate with the common name set to “TreyResearch - AD FS token signing certificate”; after installing this certificate, you must export it using the DER encoded binary X.509 format to a file named TreyResearch_ADFS_TS.cer.

This task consists of the following procedures:

  1. To install the AD FS server role on ADFS-ACCOUNT

  2. To configure the treyresearch.net forest trust policy

  3. To add an Active Directory account store

  4. To configure adfs-account as an AD FS account partner (FS-A) and add the resource partner (FS-R)

To install the AD FS server role on ADFS-ACCOUNT

  1. On the Start menu, click Server Manager.

  2. In the Roles Summary section, click Add Roles.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, select Active Directory Federation Services, and then click Next.

  5. On the Active Directory Federation Services page, review the introduction and additional information as necessary, and then click Next.

  6. On the Select Role Services page, select Federation Service, and then click Next.

  7. On the Choose a Token-Signing Certificate page, under Choose an existing certificate, click TreyResearch - AD FS token signing certificate, and then click Next.

  8. On the Select Trust Policy page, click Next.

  9. On the Confirm Installation Selections page, click Install.

To configure the treyresearch.net forest trust policy

  1. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, expand Federation Service, and then click Trust Policy.

  3. Right-click Trust Policy, and then click Properties.

  4. In the Trust Policy Properties dialog box, on the General tab in Federation Service URI, type urn:federation:treyresearch.net.

  5. In Federation Service endpoint URL, type https://adfs-account.treyresearch.net/adfs/ls/

  6. Click the Display Name tab.

  7. In Display name for this trust policy, type TreyResearch.

  8. In the Verification Certificates tab, select the TreyResearch certificate and then click View.

  9. Review the certificate content and then click OK two times.

To add an Active Directory account store

  1. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, expand Trust Policy, and then expand My Organization.

  3. Right-click Account Stores, point to New, and then Account Store.

  4. In the Add Account Store wizard, click Next.

  5. On the Account Store Type page, click Active Directory Domain Services, and then click Next.

  6. On the Enable this Account Store page, make sure that Enable this account store is selected, and then click Next.

  7. Click Finish.

  8. In the details pane, right-click E-mail, and then click Properties.

  9. In the Claim Extraction Properties dialog box, select Enabled.

  10. In LDAP attribute, type mail, and then click OK.

To configure adfs-account as an AD FS account partner (FS-A) and add the resource partner (FS-R)

  1. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, expand Partner Organizations, right-click Resource Partners, point to New, and then click Resource Partner.

  3. In the Add Resource Partner wizard, click Next.

  4. On the Import Policy File page, click No, and then click Next.

  5. On the Resource Partner Details page, in Display name, type CP&L.

  6. In Federation Service URI, type urn:federation:cpandl.com.

  7. In Federation Service endpoint URL, type https://adfs-resource.cpandl.com/adfs/ls/, and then click Next.

  8. On the Federation Scenario page, click Federated Web SSO, and then click Next.

  9. On the Resource Partner Identity Claims page, select UPN Claim, select E-mail Claim, and then click Next.

  10. On the Select UPN Suffix page, click Pass all UPN suffixes through unchanged, and then click Next.

  11. On the Select E-mail Suffix page, click Pass all E-mail suffixes through unchanged, and then click Next.

  12. On the Enable this Resource Partner page, make sure that Enable this resource partner is selected, and then click Next.

  13. Click Finish.

Installing and Configuring the AD FS Resource Forest

The next task in this demonstration is to install and configure the Federation Service component of AD FS on the adfs-resource computer for City Power & Light. After the Federation Service is installed on a computer, that computer becomes a federation resource partner server.

Before performing this task, you must request two certificates from a certification authority and install them on the adfs-resource test computer:

  • An SSL certificate with the common name set to “adfs-resource.cpandl.com”; after you install this certificate and adding the Web Server (IIS) server role, you must use IIS Manager to bind the certificate to the default Web site.

  • A token-signing certificate with the common name set to “CPandL - AD FS token signing certificate”; you are not required to export this certificate.

This task consists of the following procedures:

  1. To install the AD FS server role on adfs-resource

  2. To configure the cpandl.com forest trust policy

  3. To add an Active Directory account store

  4. To add and configure AD RMS as a claims-aware application

  5. To add and configure an AD FS account partner

To install the AD FS server role on adfs-resource

  1. On the Start menu, click Server Manager.

  2. In the Roles Summary section, click Add Roles.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, select Active Directory Federation Services, and then click Next.

  5. On the Active Directory Federation Services page, review the introduction and additional information as necessary, and then click Next.

  6. On the Select Role Services page, select Federation Service, and then click Next.

  7. On the Choose a Token-Signing Certificate page, under Choose an existing certificate, click CPandL - AD FS token signing certificate, and then click Next.

  8. On the Select Trust Policy page, click Next.

  9. On the Confirm Installation Selections page, click Install.

To configure the cpandl.com forest trust policy

  1. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, expand Federation Service, and then click Trust Policy.

  3. Right-click Trust Policy, and then click Properties.

  4. In the Trust Policy Properties dialog box, on the General tab in Federation Service URI, type urn:federation:cpandl.com.

  5. In Federation Service endpoint URL , type https://adfs-resource.cpandl.com/adfs/ls/

  6. Click the Display Name tab.

  7. In Display name for this trust policy , type CP&L.

  8. On the Verification Certificates tab, select the CP&L certificate and then click View.

  9. Review the certificate content and then click OK two times.

To add an Active Directory account store

  1. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, expand Trust Policy, and then expand My Organization.

  3. Right-click Account Stores, point to New, and then Account Store.

  4. In the Add Account Store wizard, click Next.

  5. On the Account Store Type page, click Active Directory Domain Services, and then click Next.

  6. On the Enable this Account Store page, make sure that Enable this account store is selected, and then click Next.

  7. Click Finish.

  8. In the details pane, right-click E-mail, and then click Properties.

  9. In the Claim Extraction Properties dialog box, select Enabled.

  10. In LDAP attribute , type mail, and then click OK.

To add and configure AD RMS as a claims-aware application

  1. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, right-click Applications, point to New, and then click Application.

  3. In the Add Application wizard, click Next.

  4. On the Application Type page, click Claims-aware application, and then click Next.

  5. On the Application Details page, in Application display name, type AD RMS Certification.

  6. In Application URL, type https://adrms-srv.cpandl.com/\_wmcs/certificationexternal/, and then click Next.

Important

The application URL is case sensitive, and the computer name in the URL must match the friendly name of the SSL certificate of the AD RMS server exactly. If the names do not match, AD FS will not function correctly.

  1. On the Accepted Identity Claims page, select User principal name, select E-mail, and then click Next.

  2. On the Enable this Application page, make sure that Enable this application is selected, and then click Next.

  3. Click Finish.

  4. In the console tree, right-click Applications, point to New, and then click Application.

  5. In the Add Application wizard, click Next.

  6. On the Application Type page, click Claims-aware application, and then click Next.

  7. On the Application Details page, in Application display name, type AD RMS Licensing.

  8. In Application URL, type https://adrms-srv.cpandl.com/\_wmcs/licensingexternal/, and then click Next.

Important

The application URL is case sensitive, and the computer name in the URL must match the friendly name of the SSL certificate of the AD RMS server exactly. If the names do not match, AD FS will not function correctly.

  1. On the Accepted Identity Claims page, select User principal name, select E-mail, and then click Next.

  2. On the Enable this Application page, make sure that Enable this application is selected, and then click Next.

  3. Click Finish.

To add and configure an AD FS account partner

  1. If necessary, copy the Trey Research AD FS token signing certificate (TreyResearch_ADFS_TS.cer) a local drive.

  2. On the Start menu, click Administrative Tools, and then click Active Directory Federation Services.

  3. In the console tree, expand Federation Service, expand Trust Policy, and then expand Partner Organizations.

  4. Right-click Account Partners, point to New, and then click Account Partner.

  5. On the Welcome to the Add Account Partner Wizard page, click Next.

  6. On the Import Policy File page, make sure that No is selected, and then click Next.

  7. On the Account Partner Details page, in Display name, type TreyResearch.

  8. In Federation Service URI, type urn:federation:treyresearch.net.

Important

This value is case sensitive.

  1. In Federation Service endpoint URL, type https://adfs-account.treyresearch.net/adfs/ls/, and then click Next.

  2. On the Account Partner Verification Certificate page, click Browse, select the certificate file TreyResearch_ADFS_TS.cer, and then click Next.

  3. On the Federation Scenario page, click Federated Web SSO, and then click Next.

  4. On the Account Partner Identity Claims page, select the UPN Claim and E-mail Claim check boxes, and then click Next.

  5. On the Accepted UPN Suffixes page, type treyresearch.net, click Add, and then click Next.

  6. On the Accepted E-mail Suffixes page, type treyresearch.net, click Add, and then click Next.

  7. On the Enable this Account Partner page, make sure that the Enable this account partner check box is selected, and then click Next.

  8. On the Completing the Add Account Partner Wizard page, click Finish.

Configuring the AD RMS Server to Work with AD FS

After configuring AD FS in both forests to federate with each other, you must also configure AD RMS to work with AD FS. This task consists of the following procedures:

  1. To grant security audit privileges to the AD RMS service account

  2. To specify the AD RMS extranet cluster URLs

  3. To add the AD RMS Identity Federation Support role service

  4. To enable federated identity support for the AD RMS cluster

The AD RMS service account must be able to generate security audit events when it uses AD FS.

To grant security audit privileges to the AD RMS service account

  1. Log on to adrms-srv as a member of the local administrators group.

  2. Click Start, point to Administrative Tools, and then click Local Security Policy.

  3. Expand Local Policies, and then click User Rights Assignment.

  4. Double-click Generate security audits.

  5. Click Add User or Group.

  6. Type cpandl\adrmssrvc, and then click OK.

  7. Click OK to close the Generate security audits properties sheet.

  8. Close the Local Security Policy window.

AD RMS-enabled clients that consume rights-protected content through a federated trust use the AD RMS extranet cluster URLs to create a rights account certificate.

Important

You must specify the AD RMS extranet cluster URLs before you install the Identity Federation Support role service. If Identity Federation Support is added before the extranet cluster URLs have been specified, you must specify them by manually editing the web.config files in the certificationexternal and licensingexternal folders.

To specify the AD RMS extranet cluster URLs

  1. Log on to AD RMS server adrms-srv as the AD RMS administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. Right-click adrms-srv.cpandl.com, and then click Properties.

  4. Click the Cluster URLs tab, and then select the Extranet URLs check box.

  5. For Licensing, select https://, and then type adrms-srv.cpandl.com.

  6. For Certification, select https://, type adrms-srv.cpandl.com, and then click OK.

After specifying the cluster extranet URLs, you can add the Identify Federation Support role service to the AD RMS server.

To add the AD RMS Identity Federation Support role service

  1. Log on to the AD RMS server adrms-srv as the AD RMS administrator.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the Roles Summary box, click Active Directory Rights Management Services, and then click Add Role Services.

  4. Select Identity Federation Support. Ensure that the Claims-aware Agent is listed as a required role service, and then click Add Required Role Services.

  5. On the Select Role Service page, click Next.

  6. On the Configure Identity Federation Support page, type adfs-resource.cpandl.com, click Validate, and then click Next.

  7. On the Introduction to AD FS page, click Next.

  8. On the AD FS Role Service page, confirm that Claims-aware Agent is selected, and then click Next.

  9. Click Install to add the Identity Federation Support role service to the ADRMS-SRV computer.

  10. Click Finish.

After adding the Identity Federation Support role service, you must enable federated identity support for the AD RMS cluster. Once enabled, federated identity support allows for user accounts to use credentials established by a federated trust relationship through AD FS to obtain a rights account certificate from an AD RMS cluster.

Important

Before performing this procedure, close all instances of Server Manager and the AD RMS snap-in.

To enable federated identity support for the AD RMS cluster

  1. Log on to AD RMS server adrms-srv as the AD RMS administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. In the console tree, expand adrms-srv.

  4. Expand Trust Policies, and then click Federated Identity Support.

  5. In the Actions pane, click Enable Federated Identity Support.

  6. In the Actions pane, click Properties.

  7. On the Active Directory Federation Service Policies tab, in Federated Identity Certificate validity period, type 7. This is the number of days that federated rights account certificates are to be valid.

  8. Click OK.

Configuring AD RMS-Enabled Client Computers for Federation Support

You must configure client computers in the treyresearch.net domain (for example, adrms-clnt2) for federation support with AD RMS. The registry entry HKLM\Software\Microsoft\MSDRM\Federation\FederationHomeRealm assigns the AD FS home realm for AD RMS.

To configure the AD RMS-enabled client computer for federation support

  1. Log on to the client computer as a member of the local Administrators group.

  2. Click Start, type regedit.exe, and then press the ENTER key.

  3. In the console tree, expand HKEY_LOCAL_MACHINE, expand Software, and then expand Microsoft.

  4. Right-click Microsoft, point to New, click Key, type MSDRM and then press ENTER.

  5. Right-click MSDRM, point to New, click Key, type Federation and then press ENTER.

  6. Right-click Federation, point to New, click String Value, type FederationHomeRealm, and then press ENTER.

  7. Double-click FederationHomeRealm, type https://adfs-account.treyresearch.net/adfs/, and then click OK.

By performing the tasks in this section, you have deployed identity federation with AD RMS. You can use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

By using AD RMS together with AD FS, an organization can enable its users to collaborate securely with people in other companies. These users will know for sure that any documents they protect will only be accessed by authorized users because they can apply access policies and user permissions to the information, whether the authorized users are inside or outside the organization.

The next section shows how to use this AD RMS and AD FS together to protect content stored by Microsoft Office SharePoint Server 2007.