Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Using Federated AD RMS with SharePoint Server 2007

Updated: August 1, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

Microsoft Office SharePoint Server 2007 together with federated Active Directory Rights Management Services (AD RMS) provides a secure, efficient and easy-to-use means to collaborate within an organization and with external partners. Office SharePoint Server supports the automatic application of information protection policies to documents that are downloaded from a SharePoint document library. When combined with Active Directory Federation Services (AD FS), this allows a company to publish documents in a SharePoint library and keep control of who can access those documents and how they can use them, and this control extends even to users from other companies without the requirement to provision accounts for those users.

When a document is downloaded from an IRM-enabled SharePoint Server 2007 document library or list, it is automatically protected by AD RMS, and as part of that protection, the document can only be uploaded back to the same location. This is to guarantee that the same permissions are applied on any subsequent downloads and to prevent changing or removing the permissions on the document by uploading it to a library that is not enabled for IRM.

The interchange of AD RMS-protected documents and documents stored in Office SharePoint Server (including AD RMS-protected SharePoint libraries) is greatly facilitated by AD FS integration in Office SharePoint Server 2007 and Windows Server 2008 AD RMS. This integration provides the following benefits:

  • Organizations can use a federation trust with external entities.

  • Credentials and user attributes are managed in the “home realm” by the partner organization.

  • It reduces issues around provisioning accounts for external users in the organization’s directory.

  • Identity lifecycle management is put in the hands of the user’s “home realm”, where it belongs.

  • It provides a collaboration solution that is beyond a “point solution” for AD RMS; can be used for SharePoint and extended to other applications also.

This section discusses how to configure AD FS and Office SharePoint Server together in a test environment to consume content that is rights-protected by AD RMS. Specifically, this guide shows you how to consume rights-protected content from a Office SharePoint Server 2007 document library through a federated trust.

After completing the tasks in this section, you will have a working AD RMS and Office SharePoint Server 2007 infrastructure with federation support. You can then test and verify the functionality by performing these actions:

  • Create a document in the source (cpandl.com) domain.

  • Upload the document to a rights-protected document library.

  • Have an authorized user in the partner organization domain (treyresearch.net) open and work with the document.

In this section, you will configure the test environment configured in the previous section to include federated support for Office SharePoint Server 2007. In addition to the computers configured in that section, you must also configure a server named sps-srv running Windows Server 2008 and Office SharePoint Server 2007 and add it to the cpandl.com domain.

The following diagram shows the configuration of the test environment for this section:

7d5f75b5-9e59-4be8-9965-caa4a5f8215e

To create this configuration requires performing the following tasks:

To enable AD FS work with Office SharePoint Server, first add the AD FS claims-aware agent role service to the SharePoint server (sps-srv). Next, create the external SharePoint site and add a DNS host (A) record to the cpandl.com domain to enable external federated users to access the SharePoint Web site. Finally, add the external SharePoint Web site as a claims-aware application on the AD FS resource partner server (adfs-resource) before you add any users to the document library.

To complete this task, you must perform the following procedures:

  1. To add the claims-aware agent role service

  2. To add a host (A) record for the Office SharePoint server

  3. To add a claims-aware application

  1. Log on to SharePoint server (SPS-SRV) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In Server Manager, click Roles, and then click Add Roles.

  4. In the Add Roles wizard, click Next.

  5. On the Select Server Roles page, select Active Directory Federation Services Role, and then click Next.

  6. On the Active Directory Federation Services (AD FS) page, click Next.

  7. On the Select Role Services page, select Claims-aware Agent, and then click Next.

    6f06e519-e3a1-4472-87bb-637850f7aec7
  8. On the Confirm Installation Selections page, click Install.

  1. Log on to the cpandl.com domain controller (cpandl-dc) as a member of the Domain Admins group.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the console tree, expand Roles, expand DNS Server, expand DNS, and then expand cpandl.com.

  4. Expand Forward Lookup Zones, right-click cpandl.com, and then click New Host (A or AAAA).

  5. In Name, type external-sps.

  6. In IP Address, type the IP address of the external SharePoint Web site, and then click Add Host.

  1. Log on to adfs-resource as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  3. Expand Federation Services, expand Trust Policy, and then expand My Organization.

  4. Right-click Applications, point to New, and then click Application.

  5. On the Welcome to the Add Application Wizard page, click Next.

  6. Click Claims-aware application, and then click Next.

    4b365926-e346-4471-8db7-62739ae5da4e
  7. In Application display name, type External SharePoint Web site.

  8. In Application URL, type https://external-sps.cpandl.com, and then click Next.

  9. Select the E-mail check box only, and then click Next.

    f79c3b62-b76b-4831-ab24-3857a15b2097
  10. Select Enable this application, and then click Next.

  11. Click Finish.

You should see the following mapping on the AD FS server:

c5f94d37-508e-4b95-a538-445010b363ec

After configuring AD FS to work with Office SharePoint Server, you must also configure Office SharePoint Server to accepted federated identities from AD FS. To complete this task, you must perform the following procedures:

  1. To extend the internal Office SharePoint Server Web site

  2. To add a secure sockets layer (SSL) certificate to the external Web site

  3. To configure the authentication provider on the external Web site

  4. To edit the web.config file on the internal Web site

  5. To edit the web.config file on the external Web site

  6. To add a partner user to the default document library

Before performing this task, you must obtain and install an SSL certificate with the Common Name set to external-sps.cpandl.com.

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  3. Click Application Management, click Create or Extend Web application, and then click Extend an existing Web application.

    b2b29bb9-01e3-4946-9c4b-ba644b9f0086
  4. In Web Application, select Change Web Application, and then click http://sps-srv.

    f617b7c4-e9b6-4474-a0ac-3760060139c4
  5. Click Create a new IIS Web site, and then in Description, type External Users Web site.

  6. In the Port box, type 443.

  7. In the Host header box, type the external name of the site: external-sps.cpandl.com.

  8. Under Secure Sockets Layer (SSL), click Yes.

  9. In URL, type https://external-sps.cpandl.com.

  10. In the Zone box, click Extranet.

  11. Click OK.

  12. Click Operations.

  13. Under Global Configuration, click Alternate access mappings.

    695b680c-0dd5-4d69-aef8-93517b7bd361
  14. Verify that https://external-sps.cpandl.com is shown and that the zone is configured for extranet.

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Internet Information Service (IIS) Manager.

  3. In the console tree, expand sps-srv, expand Sites, and then click External Users Web site.

  4. In the Actions pane, under Edit Site, click Bindings.

  5. In the Site Bindings dialog box list, click https, and then click Edit.

  6. In the SSL certificate, select external-sps.cpandl.com, and then click OK.

  7. In the Site Bindings dialog box, click Close.

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  3. Click Application Management.

  4. Under Application Security, click Authentication providers.

    ed3bb845-c18f-444c-b21f-f8543b6a5a3d
  5. In Web application, click Change Web Application, and then click SharePoint - 80.

  6. Click Extranet.

  7. Under Authentication Type, click Web single sign on.

  8. In Membership provider name, type SingleSignOnMembershipProvider2.

    778989bf-53f2-4f46-b763-d5e9cb54167d
  9. In Role manager name, type SingleSignOnRoleProvider2.

  10. Under Enable client integration,click No, and then click Save.

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, right-click Command Prompt, and then click Run as Administrator.

  3. At the command prompt, type:

    cd C:\inetpub\wwwroot\wss\VirtualDirectories\80

    notepad web.config

  4. Add the following text under the line <authentication mode ="Windows" />:

    
    <membership>
    <providers>
    <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
    </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
    <providers>
    <remove name="AspNetSqlRoleProvider" /> 
    <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
    </providers>
    </roleManager>
    
    
  5. Click File, click Exit, and then click Save.

  6. At the command prompt, type:

    iireset

  1. Log on to the SharePoint server (sps-srv) as a member of the local Administrators group.

  2. Click Start, right-click Command Prompt, and then click Run as Administrator.

  3. At the command prompt, type:

    cd C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443

    notepad web.config

  4. Add the following text in the <configSections> node:

    <sectionGroup name="system.web">
    <section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
    </sectionGroup>
    
    
  5. Add the following as the last entry in the <httpModules> node:

    <add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
    
    
  6. Add the following under the line that reads <authentication mode="None"/>:

    <membership defaultProvider="SingleSignOnMembershipProvider2">
    <providers>
    
    <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </providers>
    </membership>
    
    <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
    <providers>
    <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </providers>
    </roleManager>
    
    <websso>
    <authenticationrequired />
    <auditlevel>55</auditlevel>
    <urls>
    <returnurl>https://external-sps.cpandl.com</returnurl>
    </urls>
    <fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
    <isSharePoint />
    </websso>
    
    
  7. Click File, click Exit, and then click Save.

  8. At the command prompt, type:

    iireset

  1. Click Start, point to All Programs, and then click Internet Explorer.

  2. In the address bar, type http://SPS-SRV, and then click Go.

  3. Click Site Actions, point to Site Settings, and then click People and Groups.

  4. Click New, and then click Add Users.

  5. In the Users/Groups box, type the e-mail address of a partner user (tphilip@treyresearch.net), and then click OK.

To verify that AD RMS is correctly using AD FS and Office SharePoint Server, you can log on to the client computer (adrms-clnt) as Nicole Holliday. Next, create a new Microsoft Word 2007 document, and then upload it to the Office SharePoint Server 2007 site into a rights-enabled document library configured such that users who download the document will be able to read it but will not be able to print it. You can then log on to the partner client computer (adrms-clnt2) as Terrence Philips, download the document from the SharePoint site and verify that the ability to print the document has been restricted.

To complete this task, you must perform the following procedures:

  1. To upload a document to the IRM-protected SharePoint site

  2. To add external-sps.cpandl.com to the local intranet security zone

  3. To use a partner client to download and open the document

  1. Log on to the document publisher computer (adrms-clnt) as Nicole Holliday.

  2. Click Start, click All Programs, point to Microsoft Office, and then click Microsoft Word 2007.

  3. In the new document, click the Microsoft Office button, click Save As, and then save the file as ADRMS-TST.docx to a location on adrms-clnt. This document will be uploaded to the SharePoint document library.

  4. In the open document, type This document is read-only. You cannot print it.

  5. Close Microsoft Office Word 2007.

  6. Click Start, point to All Programs, and then click Internet Explorer.

  7. In the address bar, type http://sps-srv/ in the address bar, and then click Go.

  8. Click Document Center, and then click Documents.

  9. Click Upload, click Upload Document, click Browse, locate and select ADRMS-TST.docx, and then click Open.

  10. Click OK to upload the file, and then click Check In.

  1. Log on to adrms-clnt2 as Terrence Philip.

  2. Click Start, click All Programs, and then click Internet Explorer.

  3. Click Tools, and then click Internet Options.

  4. Click the Security tab, click Local intranet, and then click Sites.

  5. Click Advanced.

  6. In Add this website to the zone, type https://external-sps.cpandl.com, and then click Add.

  7. Click Close.

  1. Log on to adrms-clnt2 as Terrence Philip.

  2. Click Start, click All Programs, and then click Internet Explorer.

  3. In the address bar, type https://external-sps.cpandl.com/, and then click Go.

  4. Click Document Center, and then click Documents.

  5. Click ADRMS-TST, and then click OK.

    The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission."

  6. Click OK.

    The following message appears: "Verifying your credentials for opening content with restricted permissions."

  7. Click OK.

  8. In the full screen reading view message, click OK, and then click Close to close the full screen reading view.

  9. Click the Microsoft Office button.

    Note that the Print command is unavailable.

You have successfully deployed, integrated, and verified the functionality of AD RMS, AD FS, and Office SharePoint Server 2007 by using a simple scenario of uploading a Microsoft Office Word 2007 document to an SharePoint site. You can also use this deployment to explore some of the additional capabilities of AD RMS through further configuration and testing.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.