Export (0) Print
Expand All

Step 4: Configuring ADRMS-SRV to Work with AD FS

Updated: October 1, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2

Windows Server 2008 includes the option to install identity federation support for AD RMS as a role service through Server Manager. This step of the guide covers the following tasks:

The AD RMS service account must be able to generate security audit events when using AD FS.

  1. Log on to ADRMS-SRV with the cpandl\Administrator account.

  2. Click Start, point to Administrative Tools, and then click Local Security Policy.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Expand Local Policies, and then click User Rights Assignment.

  5. Double-click Generate security audits.

  6. Click Add User or Group.

  7. Type cpandl\adrmssrvc, and then click OK.

  8. Click OK to close the Generate security audits properties sheet.

AD RMS-enabled clients consuming rights-protected content through a federated trust use the AD RMS extranet cluster URLs to create a rights account certificate.

CautionCaution
The AD RMS cluster URLs must be added before the Identity Federation Support role service is added by using Server Manager. If the cluster URLs are not added, you must edit the web.config files in the certificationexternal and licensingexternal directories manually.

  1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.

  2. Open the Active Directory Rights Management Services console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Right-click adrms-srv.cpandl.com, and then click Properties.

  5. Click the Cluster URLs tab, and then select the Extranet URLs check box.

  6. For Licensing, click https://, and then type adrms-srv.cpandl.com.

  7. For Certification, click https://, and then type adrms-srv.cpandl.com.

  8. Click OK.

Next, add the Identity Federation Support role service through Server Manager.

noteNote
When adding Identity Federation Support as a role service for your AD RMS server, the account used to install and run Server Manager must be granted one of the following as permissions within your AD RMS database deployment:

  • db_owner on the DRMS_Config database

  • sysadmin on the SQL Server installation hosting your AD RMS databases

  1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the Roles Summary box, click Active Directory Rights Management Services, and then click Add Role Services.

  5. Select the Identity Federation Support check box. Ensure that the Claims-aware Agent is listed as a required role service, and then click Add Required Role Services.

  6. Click Next.

  7. On the Configure Identity Federation Support page, type adfs-resource.cpandl.com, click Validate, and then click Next.

  8. On the Introduction to AD FS page, click Next.

  9. On the AD FS Role Service page, confirm that Claims-aware Agent is selected, and then click Next.

  10. Click Install to add the Identity Federation Support role service to the ADRMS-SRV computer.

  11. Click Finish.

Once enabled, Identity Federation Support allows user accounts to use credentials established by a federated trust relationship through Active Directory Federation Services (AD FS) as a basis for obtaining a rights account certificate from an AD RMS cluster.

  1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.

  2. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the console tree, expand Trust Policies,and then click Federated Identity Support.

  5. In the Actions pane, click Enable Federated Identity Support.

  6. In the Actions pane, click Properties.

  7. On the Active Directory Federation Service Policies tab, in Federated Identity Certificate validity period, type 7. This is the number of days that federated rights account certificates are to be valid.

  8. Click OK.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft