Using Federated AD RMS with SharePoint Server 2007

Applies To: Windows Server 2008, Windows Server 2008 R2

Microsoft Office SharePoint Server 2007 together with federated Active Directory Rights Management Services (AD RMS) provides a secure, efficient and easy-to-use means to collaborate within an organization and with external partners. Office SharePoint Server supports the automatic application of information protection policies to documents that are downloaded from a SharePoint document library. When combined with Active Directory Federation Services (AD FS), this allows a company to publish documents in a SharePoint library and keep control of who can access those documents and how they can use them, and this control extends even to users from other companies without the requirement to provision accounts for those users.

When a document is downloaded from an IRM-enabled SharePoint Server 2007 document library or list, it is automatically protected by AD RMS, and as part of that protection, the document can only be uploaded back to the same location. This is to guarantee that the same permissions are applied on any subsequent downloads and to prevent changing or removing the permissions on the document by uploading it to a library that is not enabled for IRM.

The interchange of AD RMS-protected documents and documents stored in Office SharePoint Server (including AD RMS-protected SharePoint libraries) is greatly facilitated by AD FS integration in Office SharePoint Server 2007 and Windows Server 2008 AD RMS. This integration provides the following benefits:

  • Organizations can use a federation trust with external entities.

  • Credentials and user attributes are managed in the “home realm” by the partner organization.

  • It reduces issues around provisioning accounts for external users in the organization’s directory.

  • Identity lifecycle management is put in the hands of the user’s “home realm”, where it belongs.

  • It provides a collaboration solution that is beyond a “point solution” for AD RMS; can be used for SharePoint and extended to other applications also.

Implementing a Sample Federated AD RMS with Office SharePoint Server Scenario

This section discusses how to configure AD FS and Office SharePoint Server together in a test environment to consume content that is rights-protected by AD RMS. Specifically, this guide shows you how to consume rights-protected content from a Office SharePoint Server 2007 document library through a federated trust.

After completing the tasks in this section, you will have a working AD RMS and Office SharePoint Server 2007 infrastructure with federation support. You can then test and verify the functionality by performing these actions:

  • Create a document in the source (cpandl.com) domain.

  • Upload the document to a rights-protected document library.

  • Have an authorized user in the partner organization domain (treyresearch.net) open and work with the document.

In this section, you will configure the test environment configured in the previous section to include federated support for Office SharePoint Server 2007. In addition to the computers configured in that section, you must also configure a server named sps-srv running Windows Server 2008 and Office SharePoint Server 2007 and add it to the cpandl.com domain.

The following diagram shows the configuration of the test environment for this section:

To create this configuration requires performing the following tasks:

  • Configuring AD FS to Work with Office SharePoint Server 2007

  • Configuring Office SharePoint Server to Work with AD FS

  • Verifying AD RMS Functionality with Office SharePoint Server and AD FS

Configuring AD FS to Work with Office SharePoint Server 2007

To enable AD FS work with Office SharePoint Server, first add the AD FS claims-aware agent role service to the SharePoint server (sps-srv). Next, create the external SharePoint site and add a DNS host (A) record to the cpandl.com domain to enable external federated users to access the SharePoint Web site. Finally, add the external SharePoint Web site as a claims-aware application on the AD FS resource partner server (adfs-resource) before you add any users to the document library.

To complete this task, you must perform the following procedures:

  1. To add the claims-aware agent role service

  2. To add a host (A) record for the Office SharePoint server

  3. To add a claims-aware application

To add the claims-aware agent role service

  1. Log on to SharePoint server (SPS-SRV) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In Server Manager, click Roles, and then click Add Roles.

  4. In the Add Roles wizard, click Next.

  5. On the Select Server Roles page, select Active Directory Federation Services Role, and then click Next.

  6. On the Active Directory Federation Services (AD FS) page, click Next.

  7. On the Select Role Services page, select Claims-aware Agent, and then click Next.

  8. On the Confirm Installation Selections page, click Install.

To add a host (A) record for the Office SharePoint server

  1. Log on to the cpandl.com domain controller (cpandl-dc) as a member of the Domain Admins group.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the console tree, expand Roles, expand DNS Server, expand DNS, and then expand cpandl.com.

  4. Expand Forward Lookup Zones, right-click cpandl.com, and then click New Host (A or AAAA).

  5. In Name, type external-sps.

  6. In IP Address, type the IP address of the external SharePoint Web site, and then click Add Host.

To add a claims-aware application

  1. Log on to adfs-resource as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  3. Expand Federation Services, expand Trust Policy, and then expand My Organization.

  4. Right-click Applications, point to New, and then click Application.

  5. On the Welcome to the Add Application Wizard page, click Next.

  6. Click Claims-aware application, and then click Next.

  7. In Application display name, type External SharePoint Web site.

  8. In Application URL, type https://external-sps.cpandl.com, and then click Next.

  9. Select the E-mail check box only, and then click Next.

  10. Select Enable this application, and then click Next.

  11. Click Finish.

You should see the following mapping on the AD FS server:

Configuring Office SharePoint Server to Work with AD FS

After configuring AD FS to work with Office SharePoint Server, you must also configure Office SharePoint Server to accepted federated identities from AD FS. To complete this task, you must perform the following procedures:

  1. To extend the internal Office SharePoint Server Web site

  2. To add a secure sockets layer (SSL) certificate to the external Web site

  3. To configure the authentication provider on the external Web site

  4. To edit the web.config file on the internal Web site

  5. To edit the web.config file on the external Web site

  6. To add a partner user to the default document library

Before performing this task, you must obtain and install an SSL certificate with the Common Name set to external-sps.cpandl.com.

To extend the internal Office SharePoint Server Web site

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  3. Click Application Management, click Create or Extend Web application, and then click Extend an existing Web application.

  4. In Web Application, select Change Web Application, and then click https://sps-srv.

  5. Click Create a new IIS Web site, and then in Description, type External Users Web site.

  6. In the Port box, type 443.

  7. In the Host header box, type the external name of the site: external-sps.cpandl.com.

  8. Under Secure Sockets Layer (SSL), click Yes.

  9. In URL, type https://external-sps.cpandl.com.

  10. In the Zone box, click Extranet.

  11. Click OK.

  12. Click Operations.

  13. Under Global Configuration, click Alternate access mappings.

  14. Verify that https://external-sps.cpandl.com is shown and that the zone is configured for extranet.

To add a secure sockets layer (SSL) certificate to the external Web site

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Internet Information Service (IIS) Manager.

  3. In the console tree, expand sps-srv, expand Sites, and then click External Users Web site.

  4. In the Actions pane, under Edit Site, click Bindings.

  5. In the Site Bindings dialog box list, click https, and then click Edit.

  6. In the SSL certificate, select external-sps.cpandl.com, and then click OK.

  7. In the Site Bindings dialog box, click Close.

To configure the authentication provider on the external Web site

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  3. Click Application Management.

  4. Under Application Security, click Authentication providers.

  5. In Web application, click Change Web Application, and then click SharePoint - 80.

  6. Click Extranet.

  7. Under Authentication Type, click Web single sign on.

  8. In Membership provider name, type SingleSignOnMembershipProvider2.

  9. In Role manager name, type SingleSignOnRoleProvider2.

  10. Under Enable client integration,click No, and then click Save.

To edit the web.config file on the internal Web site

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, right-click Command Prompt, and then click Run as Administrator.

  3. At the command prompt, type:

    cd C:\inetpub\wwwroot\wss\VirtualDirectories\80

    notepad web.config

  4. Add the following text under the line <authentication mode ="Windows" />:

    <membership>
    <providers>
    <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
    </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
    <providers>
    <remove name="AspNetSqlRoleProvider" /> 
    <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
    </providers>
    </roleManager>
    
  5. Click File, click Exit, and then click Save.

  6. At the command prompt, type:

    iireset

To edit the web.config file on the external Web site

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, right-click Command Prompt, and then click Run as Administrator.

  3. At the command prompt, type:

    cd C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443

    notepad web.config

  4. Add the following text in the <configSections> node:

    <sectionGroup name="system.web">
    <section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
    </sectionGroup>
    
  5. Add the following as the last entry in the <httpModules> node:

    <add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
    
  6. Add the following under the line that reads <authentication mode="None"/>:

    <membership defaultProvider="SingleSignOnMembershipProvider2">
    <providers>
    
    <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </providers>
    </membership>
    
    <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
    <providers>
    <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </providers>
    </roleManager>
    
    <websso>
    <authenticationrequired />
    <auditlevel>55</auditlevel>
    <urls>
    <returnurl>https://external-sps.cpandl.com</returnurl>
    </urls>
    <fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
    <isSharePoint />
    </websso>
    
  7. Click File, click Exit, and then click Save.

  8. At the command prompt, type:

    iireset

To add a partner user to the default document library

  1. Click Start, point to All Programs, and then click Internet Explorer.

  2. In the address bar, type https://SPS-SRV, and then click Go.

  3. Click Site Actions, point to Site Settings, and then click People and Groups.

  4. Click New, and then click Add Users.

  5. In the Users/Groups box, type the e-mail address of a partner user (tphilip@treyresearch.net), and then click OK.

Verifying AD RMS Functionality with Office SharePoint Server and AD FS

To verify that AD RMS is correctly using AD FS and Office SharePoint Server, you can log on to the client computer (adrms-clnt) as Nicole Holliday. Next, create a new Microsoft Word 2007 document, and then upload it to the Office SharePoint Server 2007 site into a rights-enabled document library configured such that users who download the document will be able to read it but will not be able to print it. You can then log on to the partner client computer (adrms-clnt2) as Terrence Philips, download the document from the SharePoint site and verify that the ability to print the document has been restricted.

To complete this task, you must perform the following procedures:

  1. To upload a document to the IRM-protected SharePoint site

  2. To add external-sps.cpandl.com to the local intranet security zone

  3. To use a partner client to download and open the document

To upload a document to the IRM-protected SharePoint site

  1. Log on to the document publisher computer (adrms-clnt) as Nicole Holliday.

  2. Click Start, click All Programs, point to Microsoft Office, and then click Microsoft Word 2007.

  3. In the new document, click the Microsoft Office button, click Save As, and then save the file as ADRMS-TST.docx to a location on adrms-clnt. This document will be uploaded to the SharePoint document library.

  4. In the open document, type This document is read-only. You cannot print it.

  5. Close Microsoft Office Word 2007.

  6. Click Start, point to All Programs, and then click Internet Explorer.

  7. In the address bar, type https://sps-srv/ in the address bar, and then click Go.

  8. Click Document Center, and then click Documents.

  9. Click Upload, click Upload Document, click Browse, locate and select ADRMS-TST.docx, and then click Open.

  10. Click OK to upload the file, and then click Check In.

To add external-sps.cpandl.com to the local intranet security zone

  1. Log on to adrms-clnt2 as Terrence Philip.

  2. Click Start, click All Programs, and then click Internet Explorer.

  3. Click Tools, and then click Internet Options.

  4. Click the Security tab, click Local intranet, and then click Sites.

  5. Click Advanced.

  6. In Add this website to the zone, type https://external-sps.cpandl.com, and then click Add.

  7. Click Close.

To use a partner client to download and open the document

  1. Log on to adrms-clnt2 as Terrence Philip.

  2. Click Start, click All Programs, and then click Internet Explorer.

  3. In the address bar, type https://external-sps.cpandl.com/, and then click Go.

  4. Click Document Center, and then click Documents.

  5. Click ADRMS-TST, and then click OK.

    The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/\_wmcs/licensing to verify your credentials and download your permission."

  6. Click OK.

    The following message appears: "Verifying your credentials for opening content with restricted permissions."

  7. Click OK.

  8. In the full screen reading view message, click OK, and then click Close to close the full screen reading view.

  9. Click the Microsoft Office button.

    Note that the Print command is unavailable.

You have successfully deployed, integrated, and verified the functionality of AD RMS, AD FS, and Office SharePoint Server 2007 by using a simple scenario of uploading a Microsoft Office Word 2007 document to an SharePoint site. You can also use this deployment to explore some of the additional capabilities of AD RMS through further configuration and testing.