Escolar Documentos
Profissional Documentos
Cultura Documentos
Deploying Active Directory Rights Management Services with Active Directory Federation Services ............................................................................................................. 18
Steps to complete this AD RMS with AD FS deployment .......................................................................................................................................................................... 19
Step 1: Preparing the resource partner organization (Contoso) ........................................................................................................................................................... 21
Step 2: Preparing the account partner organization (Trey Research)................................................................................................................................................... 24
Safeguard sensitive information . Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard
sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage
policy templates such as "confidential - read only" that can be applied directly to the information.
Persistent protection . AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information
protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
Flexible and customizable technology . Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as
content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs
are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems,
automated workflows, and content inspection.
AD RMS provides developer tools and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable
information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.
Features in AD RMS
By using Server Manager, you can set up the following components of AD RMS:
Active Directory Rights Management Services . The Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the
AD RMS components used to publish and consume rights-protected content.
Identity Federation Support . The identity federation support role service is an optional role service that allows federated identities to consume rights-protected
content by using Active Directory Federation Services.
Microsoft Federation Gateway Support . The Microsoft Federation Gateway is an identity service that runs over the Internet and mediates between an organization
or business and the external services that the organization wants to use. The gateway connects users and other identities to the services that it works with, so that an
organization only has to manage a single identity-federation relationship to enable its identities to access all Microsoft and Microsoft-based services they want to
use.
Requirement Recommendation
One Pentium 4 3 GHz processor or higher Two Pentium 4 3 GHz processors or higher
Note
A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based
Systems.
To assist with your hardware considerations, use testing in a lab environment, data from existing hardware in a production environment, and pilot roll-outs to determine the
capacity needed for your server.
The following table describes the software requirements for running Windows Server 2008 R2-based servers with the AD RMS server role. For requirements that can be met
by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.
Software Requirement
Active Directory or AD RMS must be installed in an Active Directory domain in which the domain controllers are running Windows Server 2000
Active Directory Domain with Service Pack 3 (SP3), Windows Server 2003, Windows Server® 2008, or Windows Server 2008 R2. All users and groups
Services who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.
Database server AD RMS requires a database server, such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008, and stored procedures
to perform operations. The AD RMS server role on Windows Server 2008 R2 does not support Microsoft SQL Server 2000.
The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. These
applications require the Enterprise, Professional Plus, or Ultimate versions of Microsoft Office 2007 to create rights-protected content. For additional security, AD RMS can be
integrated with other technologies such as smart cards.
Windows 7 and Windows Vista include the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service
Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows
Server 2008.
For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management
Services topic on the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=84733).
Installing AD RMS
After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install AD RMS, in the list of tasks,
click Add roles , and then click the Active Directory Rights Management Services check box.
For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS installation Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=72134).
Managing AD RMS
Server roles are managed by using a Microsoft Management Console (MMC) snap-in. Use the Active Directory Rights Management Services console to manage AD RMS. To
open the Active Directory Rights Management console, click Start , point to Administrative Tools , and then click Active Directory Rights Management Services .
Install and configure ISA Server 2006 Standard Edition with AD RMS.
ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy server that has the ability to listen on TCP ports 80 and 443 can be
used. For the purposes of this guide, we will use ISA Server 2006 Standard Edition.
Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured
for a test environment. For more information about configuring AD RMS, see the Windows Server Active Directory Rights Management Services
Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134).
Complete technical reference for AD RMS or Microsoft ISA Server 2006 Standard Edition. For more information about Microsoft ISA Server 2006
Standard Edition, visit the ISA Server 2006 Technical Library (http://go.microsoft.com/fwlink/?LinkId=90738).
Note
You will also need a USB flash drive or another medium to copy the files from the AD RMS-enabled client to the AD RMS-enabled extranet client.
Computer
Operating System Applications and Services
Name
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information Services (IIS) 7.0,
Message Queuing, and Windows Internal Database
CPANDL-DC Windows Server 2003 with Service Pack 1 (SP1) Active Directory, Domain Name System (DNS)
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005 Standard Edition
ISA-SRV Windows Server 2003 with SP1 Microsoft ISA Server 2006 Standard Edition
Note
This computer must have two network adapters so that ISA Server 2006 can
distinguish between the public and private IP addresses.
In a production environment, the ISA server's external address would be an IP address available to the Internet, giving extranet users the ability to consume rights-
protected content.
Configure the extranet cluster URL in the Active Directory Rights Management Services console.
Export the server authentication certificate, including the private key, on ADRMS-SRV. This will be imported into the Personal certificate store on the ISA server (ISA-
SRV).
In order for users who are not connected to your organization's internal network to consume rights-protected content, you must configure the AD RMS extranet cluster
URLs. These URLs are included in the AD RMS client licensor certificate and published with all rights-protected content. These URLs should be an address that is available to
all computers on the Internet.
Note
You must configure the extranet cluster URLs before you can rights-protect content. If you already have rights-protected content, the AD RMS-enabled
client must download a new client licensor certificate that includes the extranet cluster URL.
Configuring the extranet cluster URLs is done through the Active Directory Rights Management Services console. You should follow these steps to accomplish this task:
Note
In a production environment, this step is not required because the extranet client computer's Internet Service Provider will handle the DNS resolution.
To create an entry in the HOSTS file for AD RMS extranet cluster URL
1. Log on to ADRMS-EXCLNT as a member of the local Administrators group.
2. Click Start, point to All Programs, click Accessories, and then click Notepad.
3. Within Notepad, click File, and then click Open.
4. Navigate to C:\windows\System32\drivers\etc\HOSTS, and then click Open.
Note
To show the HOSTS file, when you get to the etc folder you must select All Files (above the Open button).
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content. All editions will allow
you to consume rights-protected content.
Note
A USB flash drive is not required in this scenario. Any means of getting the document to the extranet client computer will work, such as attaching the
document to an e-mail message and sending it to Stuart. In that example, Stuart would then open the document contained in the e-mail message on the
extranet client computer.
Caution
Once this document has been consumed, any other user who logs on to the computer with the same user account will also be able to consume the
document.
2. Insert the USB flash drive, and then double-click the ADRMS-TST.docx file.
3. In the User name box, type cpandl\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-
srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
The following message appears: "You are attempting to send information to an Internet site (https://adrms-srv.cpandl.com) that is not in your Local,
Intranet, or Trusted zones. This could pose a security risk. Do you want to send the information anyway?"
5. Click Yes.
The following message appears: "Verifying your credentials for opening content with restricted permissions…".
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
7. Click View Permission in the message bar. You can see that srailson@cpandl.com (Stuart Railson) has been restricted to so that he can only read the document.
8. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of AD RMS in an extranet, using the simple scenario of applying restricted permissions to a Microsoft
Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.
Use this step-by-step guide to help you deploy Active Directory Rights Management Services (AD RMS) with Active Directory Federation Services (AD FS) in a test
environment, as a proof of concept. The instructions cover how to install and configure AD RMS to use AD FS to establish a federated trust that can be used over the Internet
with another organization that has not deployed AD RMS. This solution lets this other organization consume content that your organization has protected by using AD RMS.
When you’ve completed the instructions in this guide, the final step includes a simple verification that somebody from the other organization can read but cannot print a
document that you’ve protected. However, you can then go on to explore some of the additional capabilities of AD RMS by doing your own testing and additional
configuration, and if required, plan a deployment on your production network.
Tip
For more information about AD RMS, see Active Directory Rights Management Services Overview.
For background information about AD FS, and to help explain some of the terms used in this guide, see Understanding Key AD FS Concepts.
For more information about AD FS deployment, see Deploying a Federation Server Farm.
For technical support, use the TechNet forum for AD RMS: Active Directory Rights Management Services (On Premises)
The computers form two private intranets to represent two independent forests. In a production environment, these would be connected by using the Internet with a more
complex network topology, but for the purposes of this test network, the two forests are connected by using a common hub or Layer 2 switch. This configuration makes it
easier to deploy in a virtual server environment.
In addition, in a production environment, as a security best practice, these computers would be behind a firewall and the two AD FS servers would communicate by using
Web Application Proxy, or a similar proxy technology. Communication between the two organizations uses HTTPS (typically, using TCP port 443). In our example, HTTP is also
used for certificate revocation checking to the other organization’s CA. For more information about how to deploy Web Application Proxy, see Planning to Publish
Applications Using Web Application Proxy.
Step 1: Preparing the resource partner Creates the Contoso.com domain, with three servers and one Windows client computer. One server is the
organization (Contoso) domain controller with DNS and an enterprise CA, another server is for SQL Server and AD RMS, and the
third server is for AD FS.
Additionally: DNS is configured, the AD FS URL and RMS service URL is added to the Intranet zone for
clients, and user accounts are created that will be used for this deployment.
Step 2: Preparing the account partner Creates the Trey.net domain, with two servers and one Windows client computer. One server is the domain
organization (Trey Research) controller with DNS and an enterprise CA, and the second server is for AD FS.
Additionally: DNS is configured, the AD FS URL is added to the local intranet zone for clients, and user
accounts are created that will be used for this deployment.
Step 3: Deploying the PKI certificates Deploys three PKI server certificates to support this test deployment and creates a PKI trust between the two
internal enterprise CAs so that a server certificate that is issued by one organization is trusted by the other
organization. If you purchase these certificates from a public CA, you can skip this step.
Step 4: Installing and configuring AD Configures the member server for Contoso to run AD RMS with IIS and SQL Server. AD RMS is configured
RMS in the resource partner organization to support Identify Federation. Additional configuration is required for AD RMS.
(Contoso)
Step 5: Installing and configuring AD FS Installs and configures AD FS in both organizations. Because we’re using self-signed certificates rather than
for both organizations PKI certificates to sign the tokens, the token signing certificates are exported and imported to the computers
that need to trust these certificates.
AD FS configuration:
Two relying party trusts are created in the resource organization (one for RMS certification and the other for
RMS licensing) for the Active Directory store with two claim rules for LDAP attributes and email addresses.
A claims provider trust is created in the resource organization with one claim rule for email.
A relying party trust is created in the account organization (for RMS certification) for the Active Directory store
with one claim rule for LDAP attributes.
Step 6: Preparing the Trey Research Configures the client in the Trey Research organization so that Office uses the federation home realm for
client for AD RMS: Configuring the AD FS.
Federation Home Realm
Step 7: Verifying the AD RMS and AD Tests AD RMS and AD FS by protecting a Word document in the Contoso organization such that a user in the
FS deployment Trey Research organization can open the document but as read-only.
ContosoRMS 192.168.111.2/24 Member server onto which we’ll later install AD RMS.
o IP address of 192.168.111.1, subnet mask of 255.255.255.0, and preferred DNS server of 127.0.0.1.
2. Add the Active Directory Domain Services role and make the computer a domain controller with default settings except for the following configuration:
o New forest with root domain name of contoso.com
3. Configure DNS for the following:
o Resolve names for Trey Research (trey.net): Forwarder of 192.168.111.100
o For AD RMS: New host (A) record with name of rmsservice and IP address of 192.168.111.2 (associated PTR record is optional)
o For AD FS: New host (A) record with name of ContosoADFS and IP address of 192.168.111.3 (associated PTR record is optional)
4. Add the Active Directory Certificate Services role with the following configuration:
o Certification Authority as an Enterprise CA, root CA named ContosoRootCA. Accept all installation defaults except for the following:
a. Add the Certification Authority Web Enrollment role service. This provides a quick and convenient method to publish the certificate revocation list
(CRL) over HTTP so that it’s accessible to computers in the Trey Research organization.
b. After the install, configure the CA properties, Extension tab: Make sure that CRL Distribution Point (CDP) is selected, select the http:// entry in the
list box, and then select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates.
These two options are required so that computers in the Trey Research organization can locate this CRL for the issuing CA in the Contoso
organization. Restart Active Directory Certificate Services when prompted.
Note
In a production environment, do not use this configuration, which increases the attack surface. Instead, install the CA on a separate server from the
domain controller, and publish the CRL on a separate web server. The configuration that we use here reduces the number of computers required and the
number of configuration steps required to support this test network. If you purchase PKI server certificates, you do not even need to install the
certification authority role.
5. For all clients, add the URL for the local federation server and the RMS service to the local intranet zone, by configuring the following Group Policy for all client
computers (for example, in our test environment, you can edit the Default Domain Policy, or create a new Group Policy object that’s linked to the domain):
o Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security
Page > Site to Zone Assignment List:
This setting enables Windows integrated authentication, so that users are not prompted for their credentials.
Add the following user accounts to the contoso.com domain, with the additional following configuration choices:
Clear the User must change password at next logon check box.
Account name User logon name Email address Make member of domain group
o IP address of 192.168.111.2, subnet mask of 255.255.255.0, and preferred DNS server of 192.168.111.1.
2. Join the computer to the Contoso.com domain, and then add the CONTOSO\AdrmsAdmin account to the local Administrators group.
We’ll configure this server for AD RMS later.
o IP address of 192.168.111.3, subnet mask of 255.255.255.0 and preferred DNS server of 192.168.111.1.
o IP address of 192.168.111.10, subnet mask of 255.255.255.0, and preferred DNS server of 192.168.111.1.
o IP address of 192.168.111.100, subnet mask of 255.255.255.0, and preferred DNS server of 127.0.0.1.
2. Add the Active Directory Domain Services role and make the computer a domain controller with default settings except for the following configuration:
o New forest with root domain name of trey.net
o For AD FS: New host (A) record with name of TreyADFS and IP address of 192.168.111.101 (associated PTR record is optional)
4. Add the Active Directory Certificate Services role with the following configuration:
o Certification Authority as an Enterprise CA, root CA named TreyRootCA. Accept all installation defaults except for the following:
a. Add the Certification Authority Web Enrollment role service. This provides a quick and convenient method to publish the certificate revocation list
(CRL) over HTTP so that it’s accessible to computers in the Contoso organization.
b. After the install, configure the CA properties, Extension tab: Make sure that CRL Distribution Point (CDP) is selected, select the http:// entry in the
list box, and then select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates.
These two options are required so that computers in the Contoso organization can locate the CRL for this issuing CA in the Trey Research
organization.
Note
In a production environment, do not use this configuration, which increases the attack surface. Instead, install the CA on a separate server from the
domain controller, and publish the CRL on a separate web server. The configuration that we use here reduces the number of computers required and the
number of configuration steps required to support this test network. If you purchase PKI server certificates, you do not even need to install the
certification authority role.
5. For all clients, add the URL for the local federation server to the local intranet zone, by configuring the following Group Policy for all client computers (for example, in
our test environment, you can edit the Default Domain Policy, or create a new Group Policy object that’s linked to the domain):
o Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security
Page > Site to Zone Assignment List:
This setting enables Windows integrated authentication, so that users are not prompted for their credentials.
Add the following user accounts to the trey.net domain, with the additional following configuration choices:
Clear the User must change password at next logon check box.
Account name User logon name Email address Make member of domain group
o IP address of 192.168.111.101, subnet mask of 255.255.255.0 and preferred DNS server of 192.168.111.100.
o IP address of 192.168.111.110, subnet mask of 255.255.255.0, and preferred DNS server of 192.168.111.100.
The server (or servers) running AD RMS with Identity Federation Support. In our deployment, this is the ContosoRMS.contoso.com server.
The server running AD FS in the resource organization. In our deployment, this is the ContosoADFS.contoso.com server.
The server running AD FS in an account organization. In our deployment, this is the TreyADFS.trey.net server.
If you purchase the certificates and specify these requirements, follow the instructions from the certification authority provider to install the certificates on the servers. This is
the most likely scenario for a production environment. To use purchased certificates in our testing environment, the computers must have access to the Internet so that they
can access the certificate revocation list (CRL) for the issuing CA. If these conditions are met, go to the next step, Step 4: Installing and configuring AD RMS in the resource
partner organization (Contoso).
However, you can also deploy these certificates yourself by using Active Directory Certificate Services, which is why this step-by-step deployment includes installing this
server role in each organization. If you want to test AD RMS with AD FS and do not want to purchase the PKI certificates, use the following procedures in this step.
The first procedure is to republish the certificate revocation list (CRL) for the issuing CAs to make sure that computers in the other organization can access it by using HTTP.
The next procedure is to copy and modify the Web Server certificate template on the CA for Contoso, and the CA for Trey Research. Then, the certificate template for
Contoso is used to request a certificate for ContosoRMS and a certificate for ContosoFS. You must request these certificate separately because they need a specific value in
the certificate subject that you supply when you request the certificate. Finally, the certificate template for Trey Research is used to request a certificate for TreyFS, also with a
specific value in the certificate subject.
c. Click Add.
b. Locate and export the CA root certificate to a .cer file format that you save to a USB thumb drive. Do not select the option to export the private key.
Tip
You can identify the correct certificate by checking the certificate properties: On the General tab, it lists All issuance policies and All application
policies.
Import the exported root CA certificate for the Trey Research forest.
In the Trey.net domain, sign in on the domain controller (TreyDC) as TREY\Administrator and configure the following Group Policy for the domain (for example, edit
the Default Domain Policy):
o Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies: Trusted Root Certification Authorities
3. In the results pane, confirm that that there is a location that starts with http:// and that its status is OK.
This is the CRL that computers in the other organization will use for certificates that this CA issues, because they cannot use the default CRL that uses an
LDAP location.
To extend the CRL verification to make sure that the CRL is accessible from the other organization:
5. Copy the HTTP URL from PKIView and paste it into a browser on a computer in the other organization. You should see a file download dialog box, asking
you whether you want to open or save the file.
6. Click Open, to see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer should be the CA
server from the other organization.
To extend the CRL verification to confirm the certificate chain and certificate revocation status from the CRL, run the certutil -v -urlfetch -verify
[certificate_file]command from the TreyClient computer:
o Example: certutil -v -urlfetch -verify E:\ContosoRMS.cer
o The [certificate_file] is the server certificate that you deployed on the AD RMS server (ContosoRMS), exported to a .cer file and saved to a USB thumb drive
that you then copy to TreyClient.
o Examine the output. It’s expected to see errors for the LDAP URL, because the TreyClient cannot use LDAP to communicate with the CA in Contoso. But you
should see verification for the HTTP URL. The end of the command output should display Leaf certificate revocation check passed.
Repeat this test by exporting the certificate from TreyFS and running the same command on the ContosoClient computer.
Now that the certificates are installed, you’re ready to install and configure AD RMS.
Step 4: Installing and configuring AD RMS in the resource partner organization (Contoso)
Summary of computer configuration:
Note
In this section, we install SQL Server on the same server that runs AD RMS. You wouldn’t usually do this on a production network, but this configuration reduces
the number of configuration steps (and computers needed) for a testing environment.
During the SQL Server installation process, Setup downloads and installs the .NET Framework 3.5 SP1. If you do not have Internet access from this computer, you
can install it as a feature before you install SQL Server. To do this, follow the instructions from Enable .NET Framework 3.5 by using the Add Roles and Features
Wizard (Windows Server 2012 only).
Use the following procedures to first install SQL Server, then install and configure AD RMS, and then prepare for AD FS.
o On the Setup Role page, select SQL Server Feature Installation, and then select the following features on the Feature Selection page:
o On the Instance Configuration page, keep all default settings (installs a default instance).
a. Server Configuration tab: For the Authentication Mode, keep the default of Windows authentication mode and for Specify SQL Server
administrators, click Add Current User
o On the Reporting Services Configuration page, for Reporting Services Native Mode, keep the default of Install and configure.
o On the Error Reporting page, do not select the checkbox to send error reports.
o On the Configuration Database page: Select Specify a database server and a database instance and then select ContosoRMS for the server,
andDefaultInstance for the Database Instance.
o On the Cluster Key Storage page: Select Use AD RMS centrally managed key storage.
o On the Cluster Address page: Select Use an SSL-encrypted connection and type RMSService.contoso.com.
o On the Server Certificate page: Select Choose an existing certificate for SSL encryption, and browse to select the PKI certificate that you installed
previously.
o On the SCP Registration page: Accept the default of Register the SCP now.
Important
For this value, we recommend that you keep the casing exactly as it appears in the AD FS server certificate. For example, in our guide, this
isContosoADFS.contoso.com and not contosoadfs.contoso.com.
o Sign off and then sign in again, which updates the security token of the signed-in user account. This is required because the user account that is signed in, is
automatically made a member of the AD RMS Enterprise Administrators local group. Membership in this group grants permissions to administer AD RMS.
o Remove CONTOSO\AdrmsAdmin from the Enterprise Admins global group for the forest.
3. Optional verification (repeated later): To confirm that the URLs belonging to the RMS service are reachable inside Contoso:
a. Sign in on ContosoClient as CONTOSO\nhollida.
b. Run gpupdate /force to ensure that all Group Policy settings have been applied.
https://RMSservice.contoso.com/_wmcs/licensing/license.asmx
This displays a web page that has the title License and introduction text of The following operations are supported.
4. A successful connection verifies that ContosoClient can communicate with the RMS service.
AD RMS is now installed and configured as an AD RMS root cluster. You must now configure the local security policy so that the AD RMS service account can generate
security audit events for AD FS.
Note
For servers that are not connected to the Internet or are behind a proxy server: If the AD FS service fails to start with Application log errors 352, 102,
or 220 after the computer is restarted, check that the following registry value exists and if not, manually add it:
Type: REG_DWORD
o On the Specify Service Account page: Select Use an existing domain user account or group Managed Service Account and
specifyCONTOSO\AdfsAdmin.
For our testing environment, we’re using a domain user account for a simplified deployment. In a production environment, it’s recommended to use a group
Managed Service Account so that you can benefit from capabilities such as automatic password management and a single identity if you have more than
one AD FS server. For more information about group Managed Service Accounts, see Group Managed Service Accounts Overview.
o On the Specify Database page: You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the
location and the instance name of Microsoft SQL Server. For this testing scenario, you can select Create a database on this server using Windows Internal
Database.
Note
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and later versions, including
SQL Server 2012.
For more information about whether to use Windows Internal Database or SQL Server, see the “Determining which type of AD FS configuration
database to use” section in the Plan Your AD FS Deployment Topology topic from the AD FS Design Guide in Windows Server 2012 R2.
There should be no certificate warnings and a long text should be displayed in the browser window.
Note
For servers that are not connected to the Internet or are behind a proxy server: If the AD FS service fails to start with Application log errors 352, 102,
or 220 after the computer is restarted, check that the following registry value exists and if not, manually add it:
Type: REG_DWORD
On the Specify Service Account page: Select Use an existing domain user account or group Managed Service Account and
specifyTREY\AdfsAdmin.
On the Specify Database page: You can either create a database on this computer by using Windows Internal Database (WID), or you can specify
the location and the instance name of Microsoft SQL Server. For this testing scenario, you can select Create a database on this server using
Windows Internal Database.
Note
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and later versions,
including SQL Server 2012.
For more information about whether to use Windows Internal Database or SQL Server, see the “Determining which type of AD FS
configuration database to use” section in the Plan Your AD FS Deployment Topology topic from the AD FS Design Guide in Windows Server
2012 R2.
That completes the AD FS installation for Trey Research. The two organizations are now ready to exchange certificates for signing and encryption. The procedures in the next
section are necessary when you use self-signed certificates for token signing, instead of using PKI certificates from a well-known external certification authority.
Optional verification (repeated later):
There should be no certificate warnings and a long text should be displayed in the browser window.
Export and import the token signing certificates from each federation server
1. Still signed in on TreyFS as TREY\Administrator, open the Active Directory Federation Services console.
2. Navigate to AD FS > Service > Certificates.
3. In the results pane, double-click the Token Signing certificate.
4. On the Details tab, click Copy to File and use the wizard to copy the certificate without exporting the private key, to a DER encoded binary X.509 (.CER) file.
5. Save or move the file to a thumb drive. Make sure you choose a file name to help identify which organization the token signing certificate is from.
6. Sign in on ContosoFS as CONTOSO\Administrator and open the Active Directory Federation Services console. Then, repeat steps 2 through 5, so that you have a
second file on the thumb drive.
7. Still signed in on ContosoFS as CONTOSO\Administrator, load the Certificates MMC snap-in for the Computer account.
8. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied
token signing certificate file from TreyFS.
9. Sign in on TreyFS as TREY\Administrator, load the Certificates MMC snap-in for the Computer account.
10. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied
token signing certificate file from ContosoFS.
11. Finally, sign in on ContosoRMS as CONTOSO\Administrator, load the Certificates MMC snap-in for the Computer account.
12. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied
token signing certificate file from ContosoFS.
Important
Make sure that you include the trailing “/”. The configuration will not work without this and the symptoms are that the verification tests pass but the
Word document will prompt for authentication, and then fail to open.
9. On the Configure Identifiers page, you should see the following identifier: https://RMSService.contoso.com/_wmcs/certificationexternal/
10. On the Configure Multi-factor Authentication Now page, select I do not want to specify multi-factor authentication setting for this relying party trust at
this time.
11. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
12. On the Ready to Add Trust page, click Next.
13. On the Finish page, select the option to open the Edit Claims dialog box, and click Close.
14. In the Edit Claims Rules dialog box, add 2 claim rules:
a. Claim rule 1—LDAP attributes:
On the Select Rule Template page, select Send LDAP attributes as Claims.
On the Configure Rule page, specify the name as LDAP claims for AD RMS. For the Attribute store, select Active Directory.
For the Mapping of LDAP attributes to outgoing claim types section, specify the following, then click Finish:
On the Select Rule Template page, select Pass Through or Filter an Incoming Claim.
On the Configure Rule page, specify the name as Email claims for AD RMS.
For the Incoming claim type field, specify E-Mail Address, select Pass through only claim values that match a specific email suffix, and then,
for the Email suffix value, specify trey.net.
Note
This configuration filters helps to prevent somebody from the account organization (Trey.net in our example) from issuing forged claims
(impersonation) to access resources in the resource organization (Contoso.com in our example). If the account organization uses more than
one email suffix (for example, as a result of a merger), you can create additional email rules, each one specifying the email suffix that you
want to allow. For example, you create a new email claim rule that has the same configuration as this one, except that you
specify treyresearch.net orfabrikam.com for the Email suffix value. Alternatively, use the instructions from this TechNet wiki article to use
RegEx for the condition statement in the claims rule language: AD FS 2.0: Using RegEx in the Claims Rule Language
When a user from the partner organization tries to authenticate by using an email suffix that isn’t specified in these email claim rules, the
user sees the following error message: An error occurred while trying to contact the Active Directory Rights Management Services server.
Try again later or contact your administrator.
Click Finish.
On the Configure URL page, select Enable support for the WS-Federation Passive protocol, and type the following for the
URL:https://RMSService.contoso.com/_wmcs/licensingexternal/
On the Configure Identifiers page, you should see the following identifier: https://RMSService.contoso.com/_wmcs/licensingexternal/
On the Select Rule Template page, select Pass Through or Filter an Incoming Claim.
On the Configure Rule page, specify the name as Pass through email.
For the Incoming claim type field, specify E-Mail Address, select Pass through only claim values that match a specific email suffix, and then,
for the Email suffix value, specify trey.net.
Note
This configuration filters helps to prevent somebody from the account organization (Trey.net in our example) from issuing forged claims
(impersonation) to access resources in the resource organization (Contoso.com in our example). If the account organization uses more than
one email suffix (for example, as a result of a merger), you can create additional email rules, each one specifying the email suffix that you
want to allow. For example, you create a new email claim rule that has the same configuration as this one, except that you
specify treyresearch.net orfabrikam.com for the Email suffix value. Alternatively, use the instructions from this TechNet wiki article to use
RegEx for the condition statement in the claims rule language: AD FS 2.0: Using RegEx in the Claims Rule Language
When a user from the partner organization tries to authenticate by using an email suffix that isn’t specified in these email claim rules, the
user sees the following error message: An error occurred while trying to contact the Active Directory Rights Management Services server.
Try again later or contact your administrator.
Click Finish.
o On the Select Rule Template page, select Send LDAP attributes as Claims.
o On the Configure Rule page, specify the name as Claims for AD FS. For the Attribute store, select Active Directory.
o For the Mapping of LDAP attributes to outgoing claim types section, specify the following, then click Finish, and then click OK to close the Edit Claim
Rules dialog box:
Checkpoint verifications
1. Sign in on ContosoDC as CONTOSO\Administrator and confirm the status of the certificate revocation list (CRL) by using Enterprise PKI (PKIView):
a. From search or Run, type Pkiview.msc.
c. In the results pane, confirm that that there is a location that starts with http:// and that its status is OK.
This is the CRL that computers in the other organization will use for certificates that this CA issues, because they cannot use the default CRL that uses an
LDAP location.
To extend the CRL verification to make sure that the CRL is accessible from the other organization:
e. Copy the HTTP URL from PKIView and paste it into a browser on a computer in the other organization. You should see a file download dialog box, asking
you whether you want to open or save the file.
f. Click Open, to see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer should be the CA
server from the other organization.
To extend the CRL verification to confirm the certificate chain and certificate revocation status from the CRL, run the certutil -v -urlfetch -verify
[certificate_file]command from TreyClient:
o The [certificate_file] is the server certificate that you deployed on the AD RMS server (ContosoRMS), exported to a .cer file and saved to a USB thumb drive
that you then attach to the TreyClient computer.
o Examine the output. It’s expected to see errors for the LDAP URL, because the TreyClient cannot use LDAP to communicate with the CA in Contoso. But you
should see verification for the HTTP URL. The end of the command output should display Leaf certificate revocation check passed.
Repeat this test by exporting the certificate from TreyFS and running the same command on the ContosoClient computer.
Using the client computer, ContosoClient, use Internet Explorer to test a connection to the Contoso federation server, ContosoADFS, by using these URLs:
o https://ContosoADFS.contoso.com/federationmetadata/2007-06/federationmetadata.xml
o https://ContosoADFS.contoso.com/adfs/ls/idpinitiatedsignon.htm
The first URL should display the federation server metadata in the browser, and the second displays an AD FS sign-in page where you can sign in with domain
credentials. A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working
within the resource organization, Contoso.
Similarly, using the client computer, TreyClient, use Internet Explorer to test a connection to the Trey Research federation server, TreyADFS, by using these URLs:
o https://TreyADFS.trey.net/federationmetadata/2007-06/federationmetadata.xml
o https://TreyADFS.trey.net/adfs/ls/idpinitiatedsignon.htm
As before, the first URL should display the federation server metadata in the browser, and the second displays an AD FS sign-in page where you can sign in with
domain credentials. A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is
working within the account organization, Trey Research.
Using the client computer, TreyClient, use Internet Explorer to test a connection to the Contoso federation server, ContosoADFS, by using this URL:
o https://ContosoADFS.contoso.com/federationmetadata/2007-06/federationmetadata.xml
A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working across the two
forests; from the account organization (Trey Research) to the resource organization, Contoso.
Using the client computers, ContosoClient and TreyClient, use Internet Explorer to test a connection to the RMS service, by using this URL:
o https://RMSService.contoso.com/_wmcs/licensingexternal/license.asmx
This displays a web page in the browser that has the title License and introduction text of The following operations are supported. A successful connection verifies
that both clients can communicate with the RMS service.
If you are prompted for credentials, it could indicate a problem with the Group Policy configuration to add the local federation server or the RMS service URL (for the
Contoso domain only) to the local intranet zone. Make sure that this setting is configured and that the client has downloaded the latest Group Policy settings.
If the connection is successful for ContosoClient but not for TreyClient, it could indicate a problem with the AD FS claims configuration.
Step 6: Preparing the Trey Research client for AD RMS: Configuring the Federation Home Realm
You must edit the registry on the client in the Trey Research domain so that the client can find its local federation server.
In a production environment, you would do this by using Group Policy or a script. However, for our single testing client, we will edit the registry directly.
Although specifying HTTP rather than HTTPS for the federation home realm URL might look odd, it is correct. If you specify HTTPS instead, it does not
work.
For the URL, we recommend that you keep the casing exactly as it appears in the AD FS server certificate (in our guide, TreyADFS.trey.net and
nottreyadfs.trey.net). Some versions of Office might fail to connect if the casing does not match.
This concludes the configuration steps and you’re ready to test the AD RMS with AD FS deployment.
The user account that you use to install AD RMS must not be the same account as the AD RMS service account.
If you are registering the AD RMS service connection point (SCP) during installation, the user account that you use to install AD RMS must be a member of the Active
Directory Domain Services (AD DS) Enterprise Admins group, or equivalent.
If you are using an external database server for the AD RMS databases, the user account that you use to install AD RMS must have the right to create new databases.
If Microsoft SQL Server 2005 or Microsoft SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent.
The user account that you use to install AD RMS must have access to query the AD DS domain, such as a domain user account.
The user account that you use to install AD RMS must be a member of the Administrators group, or equivalent, on the server.
Important
You cannot use Windows PowerShell to install AD RMS with a Web site other than the default Web site. If you need to use a different Web site to host AD RMS, you
must use Server Manager to install and configure AD RMS.
Installing and provisioning the first server in an AD RMS cluster consists of the following steps:
1. Create the Windows PowerShell drive to represent the server you are provisioning. For more information, see Creating an AD RMS Cluster Windows PowerShell
Drive.
2. Set properties on objects in the drive namespace that represent required configuration settings. For more information, see Setting Properties on Objects in the AD
RMS Drive Namespace.
3. Run the Install-ADRMS cmdlet. In addition to installing the AD RMS server role and provisioning the server, this cmdlet also installs other features required by
AD RMS, such as Message Queuing, if necessary. For more information, see Running the Install-ADRMS Cmdlet.
See Also
Concepts
Using Windows PowerShell to Deploy AD RMS
Understanding the AD RMS Deployment Provider Namespace
Using Windows PowerShell to Administer AD RMS
Other Resources
Pre-installation Information for Active Directory Rights Management Services
Removing one server from a cluster . If the AD RMS server that you want to retire is in a cluster in which other servers in that AD RMS cluster are still active and
required, removing an individual AD RMS server from the cluster requires that you unprovision and uninstall AD RMS on the server that you want to retire, and
remove the server from the load-balancing rotation. Consult the documentation of the load balancer for instructions about removing a server.
Note
Only servers in the root cluster must be unprovisioned before you uninstall AD RMS. This process is not required for servers that are in licensing-
only clusters.
Retiring a stand-alone server . If the AD RMS server to be retired is the only server in that cluster, take the following steps: decommission, unprovision, and
uninstall the existing AD RMS server, remove it from the network, and then immediately install and provision AD RMS on the replacement server. Configure the new
AD RMS server (this will create a new single-server cluster) and use the same URL and configuration database as the retired AD RMS server. Keep in mind that, until
the replacement server is installed and provisioned, users cannot consume rights-protected content that was published by the single-server cluster.
Important
If the AD RMS server that you are replacing uses a hardware or software-based cryptographic service provider (CSP), you must move the key
container to the new server before you install and provision AD RMS on it. For information about moving the key container, see the documentation
that came with your CSP.
Replacing an AD RMS installation with another, existing AD RMS installation . In some circumstances, you might need to retire an AD RMS installation and
replace it with another, existing AD RMS installation, for example, in the case of a company merger where both companies are running AD RMS. In this case, you
should export the trusted user domain (TUD) and trusted publishing domain (TPD) from the AD RMS cluster being retired. Import the TUD and TPD into the AD RMS
cluster that is still active. Importing the TUD and TPD will ensure that the rights-protected content that was previously protected from the retired AD RMS installation
can be consumed in the active cluster.
When you decommission, unprovision, and uninstall an AD RMS server, the server is removed from the ClusterServer table of the configuration database, and the directory
services database is deleted from the database server.
This section contains the following procedures:
Decommission AD RMS
Decommission AD RMS
Applies To: Windows Server 2008 R2, Windows Server 2012
Before you remove the Active Directory Rights Management Services (AD RMS) role from a server, you should first decommission AD RMS. When you decommission
AD RMS, the behavior of the AD RMS cluster is changed such that it can now provide a key that decrypts the rights-protected content that it had previously published. This
key allows the content to be saved without AD RMS protection. This can be useful if you have decided to stop using AD RMS protection in your organization, or still need the
information.
You should enable decommissioning on each server in the cluster long enough for users to have the opportunity to save their content without AD RMS protection and for
your network and system administrators to disable any AD RMS-enabled clients from using the service.
After you enable decommissioning, the Active Directory Rights Management console will only show the Decommissioning server information page in the results pane; no
further administration is supported.
Caution
When you decommission a server, it cannot be restored to its previous AD RMS configuration. This process cannot be reversed. Once you have decommissioned
AD RMS, you must completely remove AD RMS by using Server Manager before you attempt to install another instance of AD RMS.
Membership in the local AD RMS Enterprise Administrators , or equivalent, is the minimum required to complete this procedure.
To decommission AD RMS
1. Log on to the server on which you want to decommission AD RMS.
2. Modify the access control list (ACL) on the decommissioning.asmx file by granting the Everyone group Read & Execute permissions. The default location for this file
is %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
3. Open the Active Directory Rights Management Services console and add the AD RMS cluster.
4. Expand the AD RMS cluster, expand Security Policies , and then select Decommissioning .
5. Select the Enable Decommissioning option in the Actions pane.
6. Click Decommission .
7. When prompted, click Yes to confirm that you want to permanently decommission the AD RMS installation.
8. Repeat steps 1–7 for all AD RMS servers in the cluster.
9. Inform your users that you are decommissioning the AD RMS installation and advise them to connect to the cluster to save their content without AD RMS protection.
Alternatively, you could delegate a trusted person to decrypt all rights-protected content by temporarily adding that person to the AD RMS super users group.
10. After you believe that all of the content is unprotected and saved, you should export the server licensor certificate, and then uninstall AD RMS from the server.
Additional considerations
You can also perform the task described in this procedure by using Windows PowerShell. For more information about Windows PowerShell for AD RMS,
seehttp://go.microsoft.com/fwlink/?LinkId=136806.
Remove the AD RMS Server Role
Applies To: Windows Server 2008 R2, Windows Server 2012
The AD RMS server role is removed from an AD RMS cluster by using Server Manager.
Important
If you are removing every server in the AD RMS cluster, be sure to first decommission AD RMS and remove all protection from the content that is rights-protected by
this AD RMS cluster. If you are only removing one AD RMS server from the cluster, you do not need to decommission the AD RMS environment because other servers
continue to issue certification and licensing requests to AD RMS users.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To remove the AD RMS server role
1. Log on to the server on which you want to remove the AD RMS server role.
2. Open Server Manager. Click Start , point to Administrative Tools , and then click Server Manager .
3. In the tree, click Manage Roles .
4. Under Roles Summary , click Remove roles .
5. Read Before You Begin , and then click Next .
6. Clear the Active Directory Rights Management Services check box. If you no longer have a need for Internet Information Services (IIS) on this server, clear
the Web Server (IIS) box, and then click Next .
7. Click Remove . Removing the AD RMS server role can take several minutes.
8. When the server role is removed, click Finish .
Additional considerations
You can also perform the task described in this procedure by using Windows PowerShell. For more information about Windows PowerShell for AD RMS,
seehttp://go.microsoft.com/fwlink/?LinkId=136806.