Configuring Federated Identity Support Settings

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Once enabled and configured, federated identity support allows user accounts to use credentials established by a federated trust relationship through Active Directory Federation Services (AD FS) as a basis for obtaining a rights account certificate (RAC) from an Active Directory Rights Management Services (AD RMS) cluster. This is an alternative to setting up trusted publishing domains or trusted user domains between entities that have previously established trust infrastructures, such that in most cases the cluster is supporting both users that are inside of the organization and users from a partner organization.

When rights account certificates (RACs) are issued from a federated identity, the standard rights account certificate validity period does not apply. Instead, the RAC validity period is specified in the CertificateValidityPeriod property of the \TrustPolicy\FederatedIdentitySupport container. Users with federated identities do not use temporary rights account certificates.

By default, federated trust relationships are not transitive. When a federated trust relationship is established between two organizations, any AD RMS trusted user domains that are established in either organization are not automatically trusted by the other organization. However, when you are importing a trusted user domain, there is an option to trust federated users of the imported domain.

Great care should be taken when allowing proxy addresses through a federated trust. If proxy addresses through federation are allowed, it is possible for a malicious user to spoof an authorized user's credentials and access the user's rights-protected content. If proxy addresses through federation is a requirement of your organization, you should implement a claims transformation module that will examine a proxy address from a federated user and make sure that it matches the forest in which the request originated. The option to allow a proxy address from a federated user is turned off by default.

Note

Before you can enable and configure federated identity support, you must first add the support to the AD RMS cluster configuration. For more information, see Adding or Removing Federated Identity Support.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To enable and configure federated identity support settings

  1. To enable federated identity support, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\TrustPolicy\FederatedIdentitySupport -Name IsEnabled $true

    where <drive> is the name of the Windows PowerShell drive.

  2. To set the federated identity certificate validity period, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\TrustPolicy\FederatedIdentitySupport -Name CertificateValidityPeriodInDays -Value <number_days>

    where <drive> is the name of the Windows PowerShell drive and <number_days> is the number of days that federated rights account certificates will remain valid.

  3. To set the federated identity certificate service URL, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\TrustPolicy\ FederatedIdentitySupport -Name CertificateServiceUrl -Value <certservice_url>

    where <drive> is the name of the Windows PowerShell drive and <certservice_url> is the address of the of certificate service on the root cluster that will provide RACs to external users. For example, for a Windows PowerShell drive named Z, to set the federated identity certificate service URL to point to a server named external.contoso.com, type:

    Set-ItemProperty -Path Z:\TrustPolicy\FederatedIdentitySupport -Name CertificateServiceUrl -Value https://external.contoso.com/_wmcs/certification

  4. To allow proxy e-mail addresses to consume rights-protected content, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive>:\TrustPolicy\FederatedIdentitySupport -Name IsProxyEmailAddressAllowed -Value $true

    where <drive> is the name of the Windows PowerShell drive.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Establishing Trust Policies

Other Resources

Understanding AD RMS Trust Policies
Configuring AD RMS Across Forests