Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint Server 2007

Applies To: Windows Server 2008, Windows Server 2008 R2

About this Appendix

This appendix walks you through the process of configuring Active Directory Federation Services (AD FS) and Microsoft Office SharePoint Server 2007 together in a test environment to consume content that is rights-protected by Active Directory Rights Management Services (AD RMS). Specifically, this guide shows you how to consume rights-protected content from an Office SharePoint Server 2007 document library through a federated trust.

This guide assumes that you previously completed the following step-by-step guides:

• Windows Server Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=54964)

• Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72135)

• The first three steps of Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide

In this appendix, you will configure the test environment configured in the step-by-step guides referenced above to include federated support for Office SharePoint Server 2007.

Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment

We recommend that you first use the steps provided in this appendix in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document.

Upon completion of this appendix, you will have a working AD RMS and Office SharePoint Server 2007 infrastructure with federation support. You can then test and verify the functionality as follows:

• Create a document in the CPANDL.COM domain.

• Upload the document to a rights-protected document library.

• Have an authorized user in the TREYRESEARCH.NET domain open and work with the document.

The test environment described in this guide include nine computers connected to a private network and using the following operating systems, applications, and services:

Computer Name	Operating System	Applications and Services
CPANDL-DC TREY-DC	Windows Server 2003 with Service Pack 1 (SP1) Note Domain controllers running Windows 2000 Server with Service Pack 4 can be used. However, in this step-by-step guide it is assumed that you will be using domain controllers running Windows Server 2003 with SP1.	Active Directory, Domain Name System (DNS)
ADRMS-SRV	Windows Server® 2008	AD RMS, Internet Information Services (IIS) 7.0, Message Queuing, and World Wide Web Publishing Service
ADRMS-DB	Windows Server 2003 with SP1	Microsoft SQL Server™ 2005 Standard Edition
SPS-SRV	Windows Server 2003 R2 with Server Pack 2 (SP2). Important Windows Server 2003 R2 with SP2 is required for federation support to work with Office SharePoint Server 2007.	AD FS claims-aware agent, Office SharePoint Server 2007
ADRMS-CLNT ADRMS-CLNT2	Windows Vista®	Microsoft Office Word 2007 Enterprise Edition
ADFS-RESOURCE ADFS-ACCOUNT	Windows Server® 2008 Enterprise	AD FS, IIS

The computers form two private intranets and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment, if desired. This appendix exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration of the test environment:

Step 1: Setting up the infrastructure

The following steps should be taken to prepare the existing test infrastructure for configuring AD FS with Office SharePoint Server 2007:

• Install the claims-aware applications Windows component on SPS-SRV.

• Add a DNS host name record to the CPANDL.COM domain so that federated users can access the Office SharePoint Server 2007 Web site.

• Add the external SharePoint Web site as a claims-aware application on ADFS-RESOURCE.

First, add the claims-aware application Windows component. This component is required for AD FS and interfaces with the AD FS federation servers to submit claims.

To add the claims-aware applications Windows component

1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group.

2. Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.

3. Click Active Directory Services, and then click Details.

4. Click Active Directory Federation Services (ADFS), and then click Details.

5. Click ADFS Web Agents, and then click Details.

6. Select the Claims-aware applications check box, and then click OK three times.

7. Click Next.

8. Click Finish to complete the installation.

Next, add a DNS host name record is required in the CPANDL.COM domain so that federated users in the TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web site.

To create a DNS host name record for the external Office SharePoint Server 2007 Web site

1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local Administrators group.

2. Click Start, point to Administrative Tools, and then click DNS.

3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).

4. In the Name box, type external-sps.

5. In the IP Address box, type 10.0.0.6, and then click Add Host.

6. Click OK, confirming that the host record was successfully created.

7. Click Done.

Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFS-RESOURCE: This should be done before a user is added to doc library.

To add the external SharePoint Web site as a claims-aware Windows application on ADFS-RESOURCE

1. Log on to ADFS-RESOURCE as cpandl\adfsadmin or another user account in the local Administrators group.

2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Expand Federation Services, expand Trust Policy, and then expand My Organization.

5. Right-click Applications, point to New, and then click Application.

6. On the Welcome to the Add Application Wizard, click Next.

7. Select the Claims-aware application option, and then click Next.

8. In the Application display name box, type External SharePoint Web site.

9. In the Application URL box, type https://external-sps.cpandl.com, and then click Next.

10. Select the E-mail check box, and then click Next.

11. Select the Enable this application check box, and then click Next.

12. Click Finish.

Step 2: Configuring Office SharePoint 2007 to work with AD FS

To configure Office SharePoint Server 2007 to work with AD FS, several steps must be completed:

• Add a claims-aware Windows application for the external Web site.

• Extend the internal Office SharePoint Server 2007 Web site.

• Add a Secure Sockets Layer (SSL) certificate to the external Web site.

• Configure the authentication provider on the external Web site.

• Edit the web.config file on the internal Web site.

• Add Terrence Philip to the default document library.

• Edit the web.config file on the external Web site.

First, extend the existing internal Web site, created earlier in this guide, and add it to the Extranet zone.

To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone on SPS-SRV.

1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group.

2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

3. Click Application Management, click Create or Extend Web application, and then click Extend an existing Web application.

4. Select the Create a new Web site option, and then type External Users Web site in the Description box.

5. In the Web Application box, click Change Web Application, and then click https://sps-srv.

6. In the Port box, type 443.

7. In the Host header box, type external-sps.cpandl.com.

8. In the Secure Sockets Layer (SSL) box, select the Yes option.

9. In the URL box, type https://external-sps.cpandl.com.

10. In the Zone box, click Extranet.

11. Click OK.

Before proceeding with this appendix, verify that the internal Web site was correctly extended. To do this, open the Alternate Access Mappings and ensure that external-sps.cpandl.com is available.

To verify that the external Web site is available

1. In the Central Administration 3.0 site, click Operations.

2. Under the Global Configuration heading, click Alternate access mappings.

3. Verify that the https://external-sps.cpandl.com is shown and the Zone is configured for Extranet.

Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS requires an SSL connection for all claims-aware Windows applications.

To add an SSL certificate to the external Office SharePoint 2007 Web site

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. Expand Web Sites, right-click External Users Web site, and then click Properties.

3. Click Directory Security, and then click Server Certificate.

4. On the Welcome to the Web Server Certificate Wizard page, click Next.

5. Choose whether to import from an existing certificate file or request a new certificate.

6. After the certificate is imported, close the External Users Web site properties sheet.

Next, configure the authentication provider on the external Web site to use Web Single Sign On (SSO).

To configure the authentication provider of the Extranet Web application to use Web SSO

1. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration, and then click Application Management.

2. Under the Application Security heading, click Authentication providers.

3. In the Web application box, click Change Web Application, and then click SharePoint - 80.

4. Click Extranet.

5. For Authentication Type, select the Web single sign on option.

6. In the Membership provider name box, type SingleSignOnMembershipProvider2.

7. In the Role manager name box, type SingleSignOnRoleProvider2.

8. For Enable client integration, select the No option, and then click Save.

Next, configure the internal Web application to accept claims from the external Web site by editing the web.config file for the internal Web site:

To configure the internal Web site to accept claims from the external Web site

1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.

2. Right-click web.config, and then click Open.

3. Select the Select the program from a list option, click Notepad, clear the Always use the selected program to open this kind of file check box, and then click OK.

4. Add the following text under the line that reads <authentication mode ="Windows" />:

   <membership>
   <providers>
   <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
   </providers>
   </membership>
   
   <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
   <providers>
   <remove name="AspNetSqlRoleProvider" /> <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
   </providers>
   </roleManager>
   

5. Click File, and then click Save.

6. Close Notepad.

7. At a command prompt, type IISRESET, and then press ENTER.

Next, add Terrence Philip (TREYRESEARCH\tphilip) to the default document library.

To add Terrence Philip to the default document library

1. Click Start, point to All Programs, and then click Internet Explorer.

2. Type https://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that was created during installation.

3. Click Site Actions, point to Site Settings, and then click People and Groups.

4. Click New, and then click Add Users.

5. In the Users/Groups box, type tphilip@treyresearch.net, and then click OK.

Next, edit the web.config file on the external Web site. There are several entries that must be made to put each individual entry into its own procedure.

To add a new entry in the &lt;configSections&gt; node

1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443.

2. Right-click web.config, and then click Open.

3. Select the Select the program from a list option, click Notepad, and then clear the Always use the selected program to open this kind of file check box.

4. Add the following text in the <configSections> node:

   <sectionGroup name="system.web">
   <section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
   </sectionGroup>
   

5. Click File, and then click Save.

Add a new entry in the <httpModules> node:

To add a new entry in the &lt;httpModules&gt; node

1. In the same file as the previous procedure, add the following line as the last entry in the <httpModules> node:

   <add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
   

2. Click File, and then click Save.

Add a new entry to the <system.web> node:

To add a new entry in the &lt;system.web&gt; node

1. In the same file as the previous procedure, add the following under the line that read <authentication mode="None"/>:

   <membership defaultProvider="SingleSignOnMembershipProvider2">
   <providers>
   <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </providers>
   </membership>
   
   <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
   <providers>
   <add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
   </providers>
   </roleManager>
   
   <websso>
   
   <authenticationrequired />
   
   <auditlevel>55</auditlevel>
   
   <urls>
   <returnurl>https://external-sps.cpandl.com</returnurl>
   </urls>
   
   <fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
   
   <isSharePoint />
   
   </websso>
   

2. Click File, and then click Save.

3. Close Notepad.

4. From a command prompt, type IISRESET, and then press ENTER.

Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS.

To verify the functionality of AD RMS using AD FS and Office SharePoint Server 2007, you log on to ADRMS-CLNT as Nicole Holliday, create a new Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site into a rights-enabled document library configured such that users who download the document will be able to read it but will not be able to print it. You then log on to ADRMS-CLNT2 as Terrence Philip, download the document from the Office SharePoint Server 2007 site and verify that the ability to print the document has been restricted.

Before you can consume rights-protected content, you must add the external Web application (external-sps.cpandl.com) to the Local Intranet security zone on ADRMS-CLNT2.

To add external-sps.cpandl.com to Local Intranet security zone

1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip).

2. Click Start, click All Programs, and then click Internet Explorer.

3. Click Tools, and then click Internet Options.

4. Click the Security tab, click Local intranet, and then click Sites.

5. Click Advanced.

6. In the Add this website to the zone, type https://external-sps.cpandl.com, and then click Add.

7. Click close.

Next, log on to ADRMS-CLNT as Nicole Holliday and create a Microsoft Word 2007 document and upload it to the Office SharePoint Server 2007 site.

To create and upload a Microsoft Word document for testing

1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.

2. Type This document is read-only. You cannot print it. in the new document, click the Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to a location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint Server 2007 document library.

3. Close Microsoft Office Word 2007.

4. Click Start, point to All Programs, and then click Internet Explorer.

5. Type **https://SPS-SRV/**in the address bar, and then click Go.

6. Click Document Center, and then click Documents.

7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST, and then click Open.

8. Click OK to upload the file, and then click Check In.

   By uploading the document into this library, the document receives the restrictions set on the library.

9. Log off as Nicole Holliday.

Finally, log on to ADRMS-CLNT2 as Terrence Philip and open the document from the external Office SharePoint Server 2007 site.

To open a protected document

1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip).

2. Click Start, click All Programs, and then click Internet Explorer.

3. Type https://external-sps.cpandl.com/ in the address bar, and then click Go.

4. Click Document Center, and then click Documents.

5. Click ADRMS-TST, and then click OK to open the document as Read Only.

6. The following message will appear: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/\_wmcs/licensing to verify your credentials and download your permission."

7. Click OK.

8. The following message will appear: "Verifying your credentials for opening content with restricted permissions".

9. Click OK in the full screen reading view message, and then click Close to close the full screen reading view.

10. Click the Microsoft Office button. The Print command is disabled.

You have successfully deployed, integrated, and demonstrated the functionality of AD RMS, AD FS, and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.