Assessing the Alternatives for Sharing Protected Documents Between Organizations

Applies To: Windows Server 2008, Windows Server 2008 R2

In most scenarios where you want to share protected content, more than one of the alternatives described might apply. Deciding which to use requires carefully balancing the provided functionality and implementation cost of each solution, as well as the constraints imposed by the environment.

The key factors to consider when making such a decision are:

• Can each organization implement its own Active Directory Rights Management Services infrastructure? Additionally, can the organizations exchange server certificates and private keys? If the answer to both of these questions is yes, a trusted publishing domain is often the most powerful and simple alternative to implement. On the other hand, if distributed AD RMS is possible, but sharing of private keys is not desired, a trusted user domain is most likely the best approach.

• If a distributed AD RMS deployment across organizations or forests is not desired, AD FS is often an excellent solution, especially when considering its applicability to other services, such as extranet access. Nevertheless, if group expansion or mobile device access are necessary, AD FS is an unlikely option.

• For a limited number of external users, using Windows Live ID accounts for the external users can be the most simple option.

• If the number of external users is large, federation cannot be implemented and the external organization cannot implement their own AD RMS infrastructure, hosting the user accounts can be the best option. However, the cost of managing such accounts (for both the IT department and each user) must be considered.

The following table summarizes the different alternatives: