Step 9: Configure AD RMS for digitally protecting documents

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Step 9: Configure AD RMS for digitally protecting documents

In this step, we configure Active Directory Rights Management Services (AD RMS) for use in protecting selected documents that are stored in the documents library on the SharePoint site. As part of the setup for this lab, the AD RMS role is already installed on the CONTOSOSRV01 VM. In this step, you add role services and the Active Directory Federation Services (AD FS) Web Agent to enable AD RMS to support this scenario configuration.

Install the AD FS Web Agent

You can use the Add Roles Wizard to add the AD FS Web agent on the CONTOSOSRV01 VM.

To install the AD FS Web agent on ContosoSrv01

  1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

  2. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.

  3. On the next page, click Active Directory Federation Services, and then click Next.

  4. On the next page that appears, click Next.

  5. On the next page that appears, click AD FS Web Agent. Select only the Claims-aware Agent check box, and then click Next.

  6. On the next page, click Install, and then click Close after the installation is complete.

Now we need to add a Role Service for AD RMS.

Install AD RMS Role Services

To install AD RMS Role Services on ContosoSrv01

  1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

  2. Open Server Manager and start the Add Roles Wizard

    To start the Add Roles Wizard, click Start, click Administrative Tools, and then click Server Manager.

  3. In the Roles section, scroll down to Active Directory Rights Management Services, and then click Add Role Services.

  4. When the wizard opens, select Identity Federation Support, and then click Next.

  5. Type the federation server name. In this case, type sts1.contoso.com, and then click Validate.

  6. After the name is validated, click Next.

  7. On the next page, click Install.

  8. After the installation is complete, click Close.

Now that we added all the roles and services, we have to turn AD RMS on for federation.

To enable federation support for the AD RMS role

  1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

  2. Open the Active Directory Rights Management Services console .

  3. To open the Active Directory Rights Management Services console, click Start, click Administrative Tools, and then click Active Directory Rights Management Services.

    The Active Directory Rights Management Services snap-in should appear in Microsoft Management Console (Mmc.exe).

  4. Click Yes in the dialog box that appears.

  5. In the console tree, expand the server name (contososrv01), expand Trust Policies, right-click Federated Identity Support, and then click Enable Federated Identity Support.

Because AD RMS is running under a service account (adrmssrvc), we must ensure that this account has privileges to write to security audit logs.

To allow the AD RMS service account to write to security audit logs

  1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23" as the user password.

  2. Open the Group Policy Management snap-in. Click Start, point to Administrative Tools, and then click Group Policy Management.

  3. In the console tree, expand Forest: Contoso.com, expand Domains, expand Contoso.com, expand Group Policy Objects, right-click Default Domain Controllers Policy, and then click Edit.

    The Group Policy Management Editor opens.

  4. In the console tree, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

  5. In the details pane, double-click Generate security audits.

    The Generate security audits Properties dialog box appears.

  6. Click Add user or groups, and then click Browse.

  7. In the Select Objects dialog box, type adrmssrvc, click Check Names, click OK, and then click OK again.

    The Generate security audits Properties dialog box should appear as shown in the following screen shot.

  8. Click OK to exit the dialog box.

So that the changes can take effect, do the following:

  • Click Start, right-click Command Prompt, and then click Run as Administrator.

  • At the command prompt, type iisreset, and then press ENTER. After the command runs, type exit, and then press ENTER to close the command prompt window.

We are now ready to integrate AD RMS with AD FS 2.0. In AD FS 2.0 we are going to add two relying parties. One relying party is for the AD RMS certificate service, and the other is for the AD RMS licensing service.

To add a relying party for the AD RMS certificate service

  1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator.

  2. Open the AD FS 2.0 Management console.

    On the Start menu, click All Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

  3. In the console tree, click AD FS 2.0, and then, in the right pane under Actions, click Add Relying Party Trust.

    When the Add Relying Party Wizard opens, click Start.

  4. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.

  5. On the Specify Display Name page, in Display name, type AD RMS Certification Service, and then click Next.

  6. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click Next.

  7. On the Configure URL page, for WS-Federation Passive URL, type https://adrms.contoso.com/\_wmcs/certificationexternal/, and then click Next.

  8. On the Configure Identifiers page, click Next.

  9. On Choose Issuance Authorization Rules page, keep the default option, Permit all users to access this relying party, selected and click Next.

  10. On the next page, click Next.

  11. On the Finish page, click Close.

    This opens the Rules Editor. The AD RMS Licensing Service is expecting the e-mail address of the user.

Now, we create two rules. In the first rule, we take the e-mail address for the user from the Lightweight Directory Access Protocol (LDAP) attribute store and send it as an AD FS e-mail address claim. In the second rule, we take the incoming e-mail claim from Fabrikam and convert that also into an AD FS e-mail claim.

To update policy to process e-mail claims for the AD RMS Licensing Service

  1. In the Rules Editor, click Add Rule. In the new window that appears, select Send LDAP Attributes as Claims, and then click Next.

  2. For the Claim rule name, type Email as AD FS 1.x Email. For Attribute store, select Active Directory. In LDAP attribute, select E-Mail-Addresses; and in Outgoing Claim Type, select AD FS 1.x E-Mail Address. Click Finish.

  3. For the second rule, click Add Rule. In the new window that appears, select Transform an Incoming Claim, and then click Next.

  4. For the Claim rule name, type Transform incoming Email to AD FS 1.x Email. For Incoming claim type, select E-Mail Address; and in Outgoing claim type, select AD FS 1.x E-Mail Address and then click Finish. Click Yes in the dialog box that appears.

  5. For the third rule, click Add Rule. In the new window that appears, select Transform an Incoming Claim, and then click Next.

  6. For the Claim rule name, type Transform AD FS 1.x Email to Name Identifier. For Incoming claim type, select AD FS 1.x E-Mail Address; and in Outgoing claim type, select Name ID, and in Outgoing name ID format, select Email, and then click Finish. Click Yes in the dialog box that appears.

  7. Click OK to exit the Rules Editor.

To add the AD RMS Licensing Service, repeat the same steps that you completed to add the certification service, except give it a friendly name of AD RMS Licensing Service and enter the URL as https://adrms.contoso.com/\_wmcs/licensingexternal/.

To add a relying party for the AD RMS Licensing Service

  1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator.

  2. Open the AD FS 2.0 Management console.

    On the Start menu, point to Administrative Tools, and then click AD FS 2.0 Management.

  3. In the console tree, click AD FS 2.0, and then, in the right pane under Actions, click Add Relying Party Trust.

  4. When the Add Relying Party Wizard opens, click Start.

  5. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.

  6. On the Specify Display Name page, in Display name, type AD RMS Licensing Service, and then click Next.

  7. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click Next.

  8. On the Configure URL page, in WS-Federation Passive URL, type https://adrms.contoso.com/\_wmcs/licensingexternal/, and then click Next.

  9. On the Configure Identifiers page, click Next.

  10. On Choose Issuance Authorization Rules page, keep the default option Permit all users to access this relying party selected, and then click Next.

  11. Click Next, and then click Close.

    Clicking Close starts the Rules Editor.

As in the previous step, add three rules:

  1. In the first rule, send out the E-Mail Address as AD FS 1.x email claim, and create it from the LDAP attribute store.

  2. In the second rule, transform the incoming E-mail claim to outgoing AD FS 1.x E Mail address claim shown above.

  3. For the third rule, transform the AD FS 1.x E Mail claim to Name ID email claim as shown above.

Now that we have configured AD RMS server with AD FS 2.0 server, we have to configure AD RMS to work with SharePoint.

To configure AD RMS service for the SharePoint site

  1. Log on to ContosoSrv01 with Administrator credentials.

  2. Open Windows Explorer and navigate to the folder where Internet Information Services was installed. By default, the folder path is c:\Inetpub\wwwroot\_wmcs\Certification.

  3. Right-click the ServerCertification.asmx file, and then click Properties.

  4. On the Security tab, click Edit. In the dialog box that appears, click Add.

  5. In the Enter the object names to select field, type AD RMS Service Group, and then click OK.

  6. In the Permissions lists for AD RMS Service Group, select the Allow check box for both Read and Read & Execute permissions.

  7. To add ContosoSrv02 server to permissions list, click Add.

  8. Click Object Types, select the Computers check box, and then click OK.

  9. Type ContosoSrv02 and click OK.

  10. Click Start, and then click Command Prompt.

  11. Type iisreset, and then press ENTER.

  12. Click OK and then OK again to close the Properties dialog box.

Before we try out the scenario, we must do one more thing. We must make changes to the SharePoint site so that any document leaving a document library should be automatically rights protected for the user who is downloading it. Also, we must make sure that the SharePoint server is aware of where the AD RMS server is located.

First, to configure the SharePoint server where the AD RMS server is located, we log in to the SharePoint central administration Web site.

To configure the SharePoint server to use AD RMS to automatically rights-protect the document in the library

  1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with the password "demo!23".

  2. Click Start, Administrative Tools, and SharePoint 3.0 Central Administration. In the Central Administration site, click Operations under Central Administration.

  3. On the Operations page, under Security Configuration, click Information Rights Management.

  4. On the Information Rights Management page, verify that the Use the default RMS server specified in Active Directory option is selected and that there are no warnings around it.

  5. Click OK to save your changes.

Now that we have configured AD RMS to work with the SharePoint server on CONTOSOSRV02, we will configure one of the document libraries on the SharePoint site at https://docs.contoso.com to be rights-protected. The level of protection will be configured in such a way that any document that is downloaded from the protected document library will be restricted based on the e-mail address of the user who is downloading it.

To configure AD RMS-based protection on a document library on the SharePoint site

  1. Remain logged on to the CONTOSOSRV02 computer as CONTOSO\Administrator, and close any previously opened browser windows.

  2. Open a new Internet Explorer window, browse to https://docs.contoso.com, and then sign in using administrator credentials.

  3. After you are authenticated with the Contoso STS, you are back at the SharePoint site. Click the Document Center link in the top right side of the site, as shown in the following screen shot.

  4. On the Document Center page, click the Documents link in the left column. This is the document library that we are going to protect with AD RMS.

  5. On the Documents page, click Settings, and then click Document Library Settings.

  6. On the Customize Documents page, click Information Rights Management.

  7. On the Information Rights Management Settings page, select the Restrict permission to documents in this library on download check box. In Permission policy title, type Contoso Confidential Document, and in Permission policy description, type Federated Document as shown in the following screen shot. Click OK when you are finished making these changes.

At this point, we have successfully configured the SharePoint site with AD RMS. We have also configured one of the document libraries to automatically use Information Rights Management when a user downloads a document from the site.

In the RMS scenario, the token between the AD FS server in Fabrikam domain and AD FS server in Contoso domain is chunked and transferred using HTTP headers. There is a limitation in the Wininet stack. It times out after certain number of redirects and the encrypted token between the two servers takes more than five redirects. To demonstrate this scenario, we will have to disable token encryption between the servers. This is safe to do because the channel over which the token is transferred is protected by SSL encryption.

To disable the token encryption between Fabrikam and Contoso AD FS 2.0 servers

  1. Log on to FabrikamSrv01 server with administrator credentials.

  2. Open the AD FS 2.0 Management console: click Start, click Administrative Tools, and then click AD FS 2.0 Management.

  3. In the left-hand column, under AD FS 2.0, double-click Trust Relationships, and then click Relying Party Trusts.

  4. In Relying Party Trusts, right-click Contoso STS, and then click Properties.

  5. In the Properties dialog box, on the Monitoring tab, clear Monitor this relying party’s federation metadata for changes, and then click Apply.

  6. On the Encryption tab, click Remove. In the dialog box that appears, click Yes, and then press OK.

We now need to make some changes to keys in the Windows registry on the Fabrikam client computer (FABRIKAMSRV02) so that the AD RMS client knows how to find the identity provider that it will use to authenticate with the AD RMS server at Contoso Pharmaceuticals (CONTOSOSRV01) based on the e-mail address of the user that is download the document.

To configure the Fabrikam client computer to be able to find and use the Contoso AD RMS server

  1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\Administrator with "demo!23" for the password.

  2. Open the Registry Editor. Click Start, click Run, type regedit, and then click OK. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft key, and then select it.

Note

For a 32-bit operating system, you can skip the Wow6432node part of the registry key path.

  1. On the Edit menu, point to New, and then click Key to create a new registry key. Name the new key MSDRM.

  2. Under the MSDRM key, create a new key.

    With MSDRM selected, on the Edit menu, point to New, and then click Key to create a new registry key. Name the new key federation.

  3. Under the federation key, create a new value of String (REG_SZ) type. For the Name, use FederationHomeRealm, and for Value use https://sts2.fabrikam.com/adfs/services/trust. The result should look like the following screen shot.

To have a Fabrikam user test AD RMS protection for protected document library on the Contoso SharePoint site

  1. Log off the FABRIKAMSRV02 computer as FABRIKAM\Administrator.

  2. Log back on as FABRIKAM\frankm with "demo!23" as the password.

  3. Open a new Internet Explorer window, browse to https://docs.contoso.com, and sign in to the site.

  4. After you are signed in at the SharePoint site, navigate to the Documents library that we protected in the previous procedure.

  5. In the Documents library page, click the link to the Contoso – Statement of General Terms document.

  6. Observe the document as it opens in Microsoft Office Word. In Word, click View Permissions to show that the document is rights protected and cannot be edited, copied, printed, saved, accessed programmatically, or otherwise fully controlled by the user (FrankM). This is because in the SharePoint library settings we did not give anyone permissions to perform these actions on the document when we modified the security settings previously in this step.