Você está na página 1de 26

AD RMS Deployment with Microsoft Office SharePoint Server 2007 Step-by-Step Guide

Microsoft Corporation Published: March 2008 Author: Brian Lich Editor: Carolyn Eller

Abstract
This step-by-step guide provides instructions for deploying Microsoft Office SharePoint Server 2007 in an Active Directory Rights Management Services (AD RMS) environment. It includes the necessary information for installing and configuring Office SharePoint Server 2007 in the newly created AD RMS infrastructure, and verifying that Office SharePoint Server 2007 documents can be rights-protected and consumed. In the appendix of this guide, you can also configure Office SharePoint Server 2007 to work with Active Directory Federation Services (ADFS) and AD RMS.

Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, MS-DOS, SharePoint, Vista, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
AD RMS Deployment with Microsoft Office SharePoint Server 2007 Step-by-Step Guide.............1 Abstract....................................................................................................................................1 Copyright Information......................................................................................................................2 Contents..........................................................................................................................................3 Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide............................................................................................................4 About this Guide..........................................................................................................................4 What This Guide Does Not Provide..........................................................................................5 Deploying AD RMS in a Test Environment...................................................................................5 Step 1: Installing and Configuring SPS-SRV...................................................................................6 Configure the Office SharePoint Server (SPS-SRV)................................................................7 Install Office SharePoint Server 2007......................................................................................9 Step 2: Configuring AD RMS to Work with SPS-SRV...................................................................10 Step 3: Verifying AD RMS Functionality using ADRMS-CLNT......................................................12 Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint Server 2007...............................................................................................................................14 About this Appendix...................................................................................................................14 Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment............15 Step 1: Setting up the infrastructure..........................................................................................17 Step 2: Configuring Office SharePoint 2007 to work with AD FS...............................................19 Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS...........24

Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-ByStep Guide
About this Guide
This step-by-step guide walks you through the process of deploying Active Directory Rights Management Services (AD RMS) and Microsoft Office SharePoint Server 2007 together in a test environment. Specifically, this guide shows you how to add an Office SharePoint Server 2007 to an existing AD RMS environment. Important Windows SharePoint Services 3.0 does not have the Microsoft Office protector files that are required to automatically rights-protect a document when it is uploaded. You must use Office SharePoint Server 2007 to do this. This guide assumes that you previously completed the Active Directory Rights Management Services Step-by-Step Guide, and that you have already deployed the following components: One Active Directory domain controller An AD RMS server An AD RMS database server An AD RMS-enabled client

In this guide, you will create a test deployment that includes an Office SharePoint Server 2007 server. Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate network. The goal of integrating an Office SharePoint Server 2007 deployment with an AD RMS infrastructure is to be able to protect documents that are downloaded from the Office SharePoint Server 2007 server by users of any given organization. Note Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents while they are on the server. When a document is uploaded to an Office SharePoint Server 2007 site, the server removes all protection until a download request is received by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server 2007 server applies the appropriate restrictions to the document before it is downloaded to the client computer.

What This Guide Does Not Provide


This guide does not provide the following: An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726. Guidance for setting up and configuring AD RMS in a production environment. Guidance for integrating Office SharePoint Server 2007 with AD RMS in a production environment. Complete technical reference for AD RMS. Complete information about Office SharePoint Server 2007. For more information, see http://go.microsoft.com/fwlink/?LinkId=74460.

Deploying AD RMS in a Test Environment


We recommend that you use the steps provided in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide" before completing the steps in this guide. Step-bystep guides are not necessarily meant to be used to deploy Microsoft products without additional documentation and should be used with discretion as a stand-alone document. Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure integrated with Office SharePoint Server 2007. You can then test AD RMS and Office SharePoint Server 2007 functionality as follows: Create a Microsoft Office Word 2007 document in the CPANDL domain. Upload this document to the Office SharePoint Server 2007 document library. Have an authorized user in the CPANDL domain open and work with the document.

The test environment described in this guide includes five computers connected to a private network and using a clean installation of the following operating systems, applications, and services:
Computer Name Operating System Applications and Services

CPANDL-DC ADRMS-SRV

Windows Server 2003 with Service Pack 1 (SP1) Windows Server 2008

Active Directory, Domain Name System (DNS) AD RMS, Internet Information Services (IIS) 7.0, and Message Queuing Microsoft SQL Server 2005 with Service Pack 2 (SP2) Office SharePoint Server 2007

ADRMS-DB SPS-SRV

Windows Server 2003 with SP1 Windows Server 2003 R2 Standard Edition. Windows Server 2003 R2 must be used if federated identity support with Office SharePoint Server 2007 is

Computer Name

Operating System

Applications and Services

required. Otherwise, Windows Server 2003 with SP1 can be used. ADRMS-CLNT Windows Vista Microsoft Office Word 2007 Enterprise Edition

Note Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum requirements for AD RMS (http://go.microsoft.com/fwlink/? LinkId=84733). The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This step-bystep exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com. The following figure shows the configuration of the test environment:

Step 1: Installing and Configuring SPS-SRV


To prepare your AD RMS test environment in the CPANDL domain, you must complete the following tasks: Configure the Office SharePoint Server (SPS-SRV) Install Office SharePoint Server 2007

Use the following table as a reference when setting up the appropriate computer name, operating system, and network settings that are required to complete the steps in this guide. Important Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows product activation while each of your 6

computers still has Internet connectivity. You should also install any available critical security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
Computer name Operating system requirement IP settings DNS settings

SPS-SRV

Windows Server 2003 R2, Standard Edition Important In order to use Active Directory Federation Services (AD FS) with Office SharePoint Server 2007, you must install Windows Server 2003 R2 with Service Pack 2 (SP2).

IP address: 10.0.0.6 Subnet mask: 255.255.255.0

10.0.0.1

Configure the Office SharePoint Server (SPS-SRV)


To configure the Office SharePoint Server 2007 server SPS-SRV, you must: 1. Install Windows Server 2003 R2 Standard Edition. 2. Configure TCP/IP properties. 3. Join the computer to the cpandl.com domain. 4. Install the Rights Management Services (RMS) client with SP2. To install Windows Server 2003 R2 Standard Edition 1. Start your computer by using the Windows Server 2003 R2 Standard Edition product CD. 2. When prompted for the installation type, choose Custom Installation. 3. When prompted for a computer name, type SPS-SRV. 4. Follow the rest of the instructions that appear on your screen to finish the installation. Next, configure TCP/IP properties so that SPS-SRV has a static IP address of 10.0.0.6. In addition, configure the Domain Name System (DNS) Server service by using the IP address of CPANDL-DC (10.0.0.1). To configure TCP/IP Properties 1. Log on to SPS-SRV with the SPS-SRV\Administrator account or another user account in the local Administrators group. 2. Click Start, point to Control Panel, point to Network Connections, double-click Local Area Connection, and then click Properties. 7

3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties. 4. Select the Use the following IP address option. In the IP address box, type 10.0.0.6. In Subnet mask box, type 255.255.255.0. 5. Select the Use the following DNS server addresses option. In the Preferred DNS server box, type 10.0.0.1. 6. Click OK, and then click OK to close the Local Area Connection Properties dialog box. Close the Local Area Connection Status dialog box. Next, join SPS-SRV to the cpandl.com domain. To join SPS-SRV to the cpandl.com domain 1. Click Start, right-click My Computer, and then click Properties. 2. Click Computer Name tab, and then click Change. 3. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com. 4. Click More, and type cpandl.com in Primary DNS suffix of this computer box. 5. Click OK twice. 6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for CPANDL\Administrator, and then click OK. 7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK. 8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close. 9. Click Yes to restart the computer. Finally, install the RMS client with SP2 on SPS-SRV. To install the RMS client with SP2 1. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736. If you are using a 64-bit version Windows Server 2003, download the 64-bit version of the RMS client from http://go.microsoft.com/fwlink/?LinkId=67935. 2. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-ENU.exe to start the installation. 3. Click Next. 4. Select the I agree option to accept the End User License Agreement, and then click Next twice to start the installation. 5. Click Close to finish the installation.

Note If you are using a self-signed certificate for your AD RMS cluster, you must import it into the Trusted Certification Authorities certificate store on SPS-SRV before you can consume rights-protected content.

Install Office SharePoint Server 2007


To install Office SharePoint Server 2007, you must complete the following steps in the following order: 1. Add the Application Server role to SPS-SRV. 2. Install Microsoft .NET Framework 3.0. 3. Install Office SharePoint Server 2007. Office SharePoint Server 2007 uses the Application Server role, which contains IIS and ASP.NET, to host Office SharePoint Server 2007 document libraries. To install the Application Server role, you must complete the following steps: To add the Application Server role 1. Click Start, point to All Programs, point to Administrative Tools, and then click Manage Your Server. 2. Click Add or remove a role. 3. On the Preliminary Steps page of the Configure your Server Wizard, click Next. 4. Click Application Server (IIS, ASP.NET), and then click Next. 5. Select the Enable ASP.NET check box, and then click Next twice. Note You will be asked for the Windows Server 2003 product CD in order to complete the installation of the Application Server role. 6. Click Finish to complete the installation. Next, install the .NET Framework 3.0. Office SharePoint Server 2007 requires the Windows Workflow Foundation, which has been integrated into .NET Framework 3.0. To install .NET Framework 3.0 1. Download Microsoft .NET Framework 3.0 from http://go.microsoft.com/fwlink/? LinkId=73912. 2. Double-click dotnetfx3setup.exe, and then click Run in the Open File - Security Warning dialog box. 3. Click the I have read and ACCEPT the terms of the License Agreement option, and then click Install. 4. Click Exit to complete the installation. Next, install Office SharePoint Server 2007. 9

To install Office SharePoint Server 2007 1. Double-click setup.exe from the Office SharePoint Server 2007 product CD. 2. Enter your Product Key, and then click Continue. 3. Select the I accept the terms of this agreement check box, and then click Continue. 4. Click Basic. 5. After installation has completed, select the Run the SharePoint Products and Technologies Configuration Wizard now check box, and then click Close. The installation might take 10 minutes to complete. 6. On the Welcome to the SharePoint Products and Technologies page, click Next. Click Yes in the message confirming that the SharePoint services should be restarted. Office SharePoint Server 2007 will also be configured at this time. 7. Click Finish to complete the installation.

Step 2: Configuring AD RMS to Work with SPS-SRV


After Office SharePoint Server 2007 has been installed, there are several tasks that must be completed to integrate Office SharePoint Server 2007 with AD RMS: Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer zone. Add three user accounts, CPANDL\Administrator, Nicole Holliday, and Stuart Railson, to the SharePoint site. Add the Office SharePoint Server 2007 server to the AD RMS server certification pipeline. Enable Information Rights Management in Office SharePoint Server 2007. Restrict permissions by using AD RMS.

First, add the Office SharePoint Server 2007 site to the Internet Explorer Local Intranet zone on the Office SharePoint Server 2007 computer. To add SPS-SRV to Local Intranet 1. Log on to SPS-SRV as cpandl\administrator. 2. Click Start, point to Control Panel, and then click Internet Options. 3. Click the Security tab, click Local Intranet, and then click the Sites button. 4. Type http://SPS-SRV, and then click Add. 5. Click Close, and then click OK. Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office SharePoint Server 2007 integration with AD RMS can be verified later in this guide: 10

To add Nicole Holliday and Stuart Railson to the SharePoint site 1. Click Start, point to All Programs, and then click Internet Explorer. 2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that was created during installation. 3. Click Site Actions, point to Site Settings, and then click People and Groups. 4. Click New, and then click Add Users. 5. Type nhollida@cpandl.com;srailson@cpandl.com in the Users/Groups box, and then click OK. A list of users who have permission to use the SharePoint site is displayed. Next, add the Office SharePoint Server 2007 server and AD RMS Service Group to the AD RMS cluster server certification pipeline. Important By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must add the permissions in order for Office SharePoint Server 2007 to integrate with AD RMS. To add SPS-SRV to the AD RMS Certification Pipeline 1. Log on to ADRMS-SRV as CPANDL\Administrator. 2. Click Start, and then click Computer. 3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification. 4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab. 5. Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then click OK two times. 6. Click Edit, and then click Add. 7. Click Object Types, select the Computers check box, and then click OK. 8. Type SPS-SRV, and then click OK. 9. Click OK to close the ServerCertification.asmx Properties sheet. By default the Read & execute and the Read permissions are configured for the SPSSRV computer account object and all other accounts inherited from the parent folder. 10. Click Start, and then click Command Prompt. 11. Type iisreset, and then press ENTER. Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can communicate with it, you must configure Office SharePoint Server 2007 to use the AD RMS cluster: To enable Information Rights Management in Office SharePoint Server 2007 1. Log on to SPS-SRV as CPANDL\administrator. 2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central 11

Administration. 3. Click Operations, and then click Information Rights Management. 4. Select the Use the default RMS server specified in Active Directory option, and then click OK. Create an Office SharePoint Server 2007 permission policy on the default document library. This permission policy will be used to restrict the ability to print any documents that are uploaded to the document library: To restrict permissions using AD RMS 1. Log on as cpandl\Administrator. 2. Click Start, point to All Programs, and then click Internet Explorer. 3. Type http://SPS-SRV in the address bar, and then click Go. 4. Click Document Center, click Documents, click Settings, and then click Document Library Settings. 5. Under the Permissions and Management heading, click Information Rights Management. 6. Select the Restrict permission to documents in this library on download check box. 7. Type CPANDL Protected in the Permissions policy title box. 8. Type Restrict CPANDL employees from printing in the Permission policy description box. 9. Click OK. Note Office SharePoint Server 2007 will automatically apply AD RMS rights to the document when it is downloaded from the Office SharePoint Server 2007 site. These rights are determined by the Office SharePoint Server 2007 group membership for that site. For example, a user who is in the Visitors Office SharePoint Server 2007 group will not be able to modify the document when it is downloaded from the Office SharePoint Server 2007 site.

Step 3: Verifying AD RMS Functionality using ADRMS-CLNT


To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a new Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site into a rights-enabled document library configured such that users who download the document will not be able to print it. You then log on as Stuart Railson, download the document from the Office SharePoint Server 2007 site and verify that the ability to print the document has been restricted. 12

Before you can consume rights-protected content, you must add SPS-SRV to the Local Intranet security zone. To add SPS-SRV to Local Intranet security zone 1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida). 2. Click Start, click All Programs, and then click Internet Explorer. 3. Click Tools, and then click Internet Options. 4. Click the Security tab, click Local intranet, and then click Sites. 5. Click Advanced. 6. In the Add this website to the zone, type http://sps-srv, and then click Add. 7. Click close. 8. Repeat steps 17 for Stuart Railson (CPANDL\srailson). Next, log on a Nicole Holliday and create a Microsoft Word 2007 document and upload it to the Office SharePoint Server 2007 site. To create and upload a Microsoft Word document for testing 1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007. 2. Type This document is read-only. You cannot print it. in the new document, click the Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to a location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint Server 2007 document library. Note Since Nicole Holliday is the author of this document, she will have full rights to the document, regardless of the AD RMS rights that are applied to it. 3. Close Microsoft Office Word 2007. 4. Click Start, point to All Programs, and then click Internet Explorer. 5. Type http://SPS-SRV/ in the address bar, and then click Go. 6. Click Document Center, and then click Documents. 7. Click Upload, click Upload Document, click Browse to locate and select ADRMSTST, and then click Open. 8. Click OK to upload the file, and then click Check In. By uploading the document into this library, the document receives the restrictions set on the library. 9. Log off as Nicole Holliday. Finally, log on as Stuart Railson and open the document from the Office SharePoint Server 2007 site.

13

To open a protected document 1. Log on to ADRMS-CLNT as Stuart Railson (CPANDL\srailson). 2. Click Start, click All Programs, and then click Internet Explorer. 3. Type http://SPS-SRV/ in the address bar, and then click Go. 4. Click Document Center, and then click Documents. 5. Click ADRMS-TST, and then click OK to open the document as Read Only. 6. The following message will appear: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrmssrv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission." 7. Click OK. 8. The following message will appear: "Verifying your credentials for opening content with restricted permissions". 9. Click OK in the full screen reading view message, and then click Close to close the full screen reading view. 10. Click the Microsoft Office button. The Print command is disabled. You have successfully deployed, integrated, and demonstrated the functionality of AD RMS and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint Server 2007
About this Appendix
This appendix walks you through the process of configuring Active Directory Federation Services (AD FS) and Microsoft Office SharePoint Server 2007 together in a test environment to consume content that is rights-protected by Active Directory Rights Management Services (AD RMS). Specifically, this guide shows you how to consume rights-protected content from an Office SharePoint Server 2007 document library through a federated trust. This guide assumes that you previously completed the following step-by-step guides: Windows Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=54964) Using Identity Federation with Active Directory Rights Management Services Step-byStep Guide (http://go.microsoft.com/fwlink/?LinkId=72135) 14

The first three steps of Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide In this appendix, you will configure the test environment configured in the step-by-step guides referenced above to include federated support for Office SharePoint Server 2007.

Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment


We recommend that you first use the steps provided in this appendix in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a standalone document. Upon completion of this appendix, you will have a working AD RMS and Office SharePoint Server 2007 infrastructure with federation support. You can then test and verify the functionality as follows: Create a document in the CPANDL.COM domain. Upload the document to a rights-protected document library.

Have an authorized user in the TREYRESEARCH.NET domain open and work with the document. The test environment described in this guide include nine computers connected to a private network and using the following operating systems, applications, and services:
Computer Name Operating System Applications and Services

CPANDL-DC TREY-DC

Windows Server 2003 with Service Active Directory, Domain Pack 1 (SP1) Name System (DNS) Note Domain controllers running Windows 2000 Server with Service Pack 4 can be used. However, in this step-bystep guide it is assumed that you will be using domain controllers running Windows Server 2003 with SP1.

ADRMS-SRV

Windows Server 2008

AD RMS, Internet Information Services (IIS) 7.0, Message Queuing, and World Wide Web Publishing Service 15

Computer Name

Operating System

Applications and Services

ADRMS-DB SPS-SRV

Windows Server 2003 with SP1 Windows Server 2003 R2 with Server Pack 2 (SP2). Important Windows Server 2003 R2 with SP2 is required for federation support to work with Office SharePoint Server 2007.

Microsoft SQL Server 2005 Standard Edition AD FS claims-aware agent, Office SharePoint Server 2007

ADRMS-CLNT ADRMS-CLNT2 ADFS-RESOURCE ADFS-ACCOUNT

Windows Vista

Microsoft Office Word 2007 Enterprise Edition

Windows Server 2008 Enterprise AD FS, IIS

The computers form two private intranets and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment, if desired. This appendix exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration of the test environment:

16

Step 1: Setting up the infrastructure


The following steps should be taken to prepare the existing test infrastructure for configuring AD FS with Office SharePoint Server 2007: Install the claims-aware applications Windows component on SPS-SRV. Add a DNS host name record to the CPANDL.COM domain so that federated users can access the Office SharePoint Server 2007 Web site. Add the external SharePoint Web site as a claims-aware application on ADFSRESOURCE.

17

Note Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007 to work together. To download Windows Server 2003 with SP2, see http://go.microsoft.com/fwlink/?LinkId=98598. First, add the claims-aware application Windows component. This component is required for AD FS and interfaces with the AD FS federation servers to submit claims. To add the claims-aware applications Windows component 1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group. 2. Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components. 3. Click Active Directory Services, and then click Details. 4. Click Active Directory Federation Services (ADFS), and then click Details. 5. Click ADFS Web Agents, and then click Details. 6. Select the Claims-aware applications check box, and then click OK three times. 7. Click Next. Note You will be asked for the Windows Server 2003 R2 product CD in order to complete the installation of the claims-aware applications Windows component. 8. Click Finish to complete the installation. Next, add a DNS host name record is required in the CPANDL.COM domain so that federated users in the TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web site. To create a DNS host name record for the external Office SharePoint Server 2007 Web site 1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local Administrators group. 2. Click Start, point to Administrative Tools, and then click DNS. 3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A). 4. In the Name box, type external-sps. 5. In the IP Address box, type 10.0.0.6, and then click Add Host. 6. Click OK, confirming that the host record was successfully created. 7. Click Done. Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFSRESOURCE: This should be done before a user is added to doc library.

18

To add the external SharePoint Web site as a claims-aware Windows application on ADFS-RESOURCE 1. Log on to ADFS-RESOURCE as cpandl\adfsadmin or another user account in the local Administrators group. 2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. Expand Federation Services, expand Trust Policy, and then expand My Organization. 5. Right-click Applications, point to New, and then click Application. 6. On the Welcome to the Add Application Wizard, click Next. 7. Select the Claims-aware application option, and then click Next. 8. In the Application display name box, type External SharePoint Web site. 9. In the Application URL box, type https://external-sps.cpandl.com, and then click Next. 10. Select the E-mail check box, and then click Next. 11. Select the Enable this application check box, and then click Next. 12. Click Finish.

Step 2: Configuring Office SharePoint 2007 to work with AD FS


To configure Office SharePoint Server 2007 to work with AD FS, several steps must be completed: Add a claims-aware Windows application for the external Web site. Extend the internal Office SharePoint Server 2007 Web site. Add a Secure Sockets Layer (SSL) certificate to the external Web site. Configure the authentication provider on the external Web site. Edit the web.config file on the internal Web site. Add Terrence Philip to the default document library. Edit the web.config file on the external Web site.

First, extend the existing internal Web site, created earlier in this guide, and add it to the Extranet zone. To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone on SPS-SRV. 1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group. 19

2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 3. Click Application Management, click Create or Extend Web application, and then click Extend an existing Web application. 4. Select the Create a new Web site option, and then type External Users Web site in the Description box. 5. In the Web Application box, click Change Web Application, and then click http://sps-srv. 6. In the Port box, type 443. 7. In the Host header box, type external-sps.cpandl.com. 8. In the Secure Sockets Layer (SSL) box, select the Yes option. 9. In the URL box, type https://external-sps.cpandl.com. 10. In the Zone box, click Extranet. 11. Click OK. Before proceeding with this appendix, verify that the internal Web site was correctly extended. To do this, open the Alternate Access Mappings and ensure that external-sps.cpandl.com is available. To verify that the external Web site is available 1. In the Central Administration 3.0 site, click Operations. 2. Under the Global Configuration heading, click Alternate access mappings. 3. Verify that the https://external-sps.cpandl.com is shown and the Zone is configured for Extranet. Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS requires an SSL connection for all claims-aware Windows applications. To add an SSL certificate to the external Office SharePoint 2007 Web site 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Web Sites, right-click External Users Web site, and then click Properties. 3. Click Directory Security, and then click Server Certificate. 4. On the Welcome to the Web Server Certificate Wizard page, click Next. 5. Choose whether to import from an existing certificate file or request a new certificate. 6. After the certificate is imported, close the External Users Web site properties sheet. Next, configure the authentication provider on the external Web site to use Web Single Sign On (SSO).

20

To configure the authentication provider of the Extranet Web application to use Web SSO 1. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration, and then click Application Management. 2. Under the Application Security heading, click Authentication providers. 3. In the Web application box, click Change Web Application, and then click SharePoint - 80. 4. Click Extranet. 5. For Authentication Type, select the Web single sign on option. 6. In the Membership provider name box, type SingleSignOnMembershipProvider2. 7. In the Role manager name box, type SingleSignOnRoleProvider2. 8. For Enable client integration, select the No option, and then click Save. Next, configure the internal Web application to accept claims from the external Web site by editing the web.config file for the internal Web site: To configure the internal Web site to accept claims from the external Web site 1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80. 2. Right-click web.config, and then click Open. 3. Select the Select the program from a list option, click Notepad, clear the Always use the selected program to open this kind of file check box, and then click OK. 4. Add the following text under the line that reads <authentication mode ="Windows" />:
<membership> <providers> <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfsresource.cpandl.com/adfs/fs/federationserverservice.asmx" /> </providers> </membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"> <providers> <remove name="AspNetSqlRoleProvider" /> <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfsresource.cpandl.com/adfs/fs/federationserverservice.asmx" /> </providers>

21

</roleManager>

5. Click File, and then click Save. 6. Close Notepad. 7. At a command prompt, type IISRESET, and then press ENTER. Next, add Terrence Philip (TREYRESEARCH\tphilip) to the default document library. To add Terrence Philip to the default document library 1. Click Start, point to All Programs, and then click Internet Explorer. 2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that was created during installation. 3. Click Site Actions, point to Site Settings, and then click People and Groups. 4. Click New, and then click Add Users. 5. In the Users/Groups box, type tphilip@treyresearch.net, and then click OK. Important If the internal SharePoint Web site is not able to resolve Terence Philip using the procedure above, you should ensure all of the previous steps were completed correctly before continuing through the rest of this appendix. Next, edit the web.config file on the external Web site. There are several entries that must be made to put each individual entry into its own procedure. To add a new entry in the <configSections> node 1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443. 2. Right-click web.config, and then click Open. 3. Select the Select the program from a list option, click Notepad, and then clear the Always use the selected program to open this kind of file check box. 4. Add the following text in the <configSections> node:
<sectionGroup name="system.web">

<section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />

</sectionGroup>

5. Click File, and then click Save. Add a new entry in the <httpModules> node:

22

To add a new entry in the <httpModules> node 1. In the same file as the previous procedure, add the following line as the last entry in the <httpModules> node:
<add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />

2. Click File, and then click Save. Add a new entry to the <system.web> node: To add a new entry in the <system.web> node 1. In the same file as the previous procedure, add the following under the line that read <authentication mode="None"/>:
<membership defaultProvider="SingleSignOnMembershipProvider2">

<providers>

<add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

</providers>

</membership>

<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">

<providers>

<add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

</providers>

</roleManager>

23

<websso>

<authenticationrequired /> <auditlevel>55</auditlevel>

<urls> <returnurl>https://external-sps.cpandl.com</returnurl> </urls>

<fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>

<isSharePoint />

</websso>

2. Click File, and then click Save. 3. Close Notepad. 4. From a command prompt, type IISRESET, and then press ENTER.

Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS.
To verify the functionality of AD RMS using AD FS and Office SharePoint Server 2007, you log on to ADRMS-CLNT as Nicole Holliday, create a new Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site into a rights-enabled document library configured such that users who download the document will be able to read it but will not be able to print it. You then log on to ADRMS-CLNT2 as Terrence Philip, download the document from the Office SharePoint Server 2007 site and verify that the ability to print the document has been restricted. Before you can consume rights-protected content, you must add the external Web application (external-sps.cpandl.com) to the Local Intranet security zone on ADRMS-CLNT2. To add external-sps.cpandl.com to Local Intranet security zone 1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip). 2. Click Start, click All Programs, and then click Internet Explorer. 3. Click Tools, and then click Internet Options. 4. Click the Security tab, click Local intranet, and then click Sites. 5. Click Advanced. 6. In the Add this website to the zone, type https://external-sps.cpandl.com, and 24

then click Add. 7. Click close. Next, log on to ADRMS-CLNT as Nicole Holliday and create a Microsoft Word 2007 document and upload it to the Office SharePoint Server 2007 site. To create and upload a Microsoft Word document for testing 1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007. 2. Type This document is read-only. You cannot print it. in the new document, click the Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to a location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint Server 2007 document library. Note Since Nicole Holliday is the author of this document, she will have full rights to the document, regardless of the AD RMS rights that are applied to it. 3. Close Microsoft Office Word 2007. 4. Click Start, point to All Programs, and then click Internet Explorer. 5. Type http://SPS-SRV/ in the address bar, and then click Go. 6. Click Document Center, and then click Documents. 7. Click Upload, click Upload Document, click Browse to locate and select ADRMSTST, and then click Open. 8. Click OK to upload the file, and then click Check In. By uploading the document into this library, the document receives the restrictions set on the library. 9. Log off as Nicole Holliday. Finally, log on to ADRMS-CLNT2 as Terrence Philip and open the document from the external Office SharePoint Server 2007 site. To open a protected document 1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip). 2. Click Start, click All Programs, and then click Internet Explorer. 3. Type https://external-sps.cpandl.com/ in the address bar, and then click Go. 4. Click Document Center, and then click Documents. 5. Click ADRMS-TST, and then click OK to open the document as Read Only. 6. The following message will appear: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrmssrv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission." 25

7. Click OK. 8. The following message will appear: "Verifying your credentials for opening content with restricted permissions". 9. Click OK in the full screen reading view message, and then click Close to close the full screen reading view. 10. Click the Microsoft Office button. The Print command is disabled. You have successfully deployed, integrated, and demonstrated the functionality of AD RMS, AD FS, and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

26

Você também pode gostar