AD RMS Business-To-Business Requirements for Trusted User Domains

Applies To: Windows Server 2008, Windows Server 2008 R2

A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster that is to be trusted. You can also add trust policies so that AD RMS can process licensing requests for user certificates from a different AD RMS cluster.

Business-to-business is one such type of TUD and is shown in the following diagram. This type of TUD would involve two different companies sharing rights-protected content between them. Before you set up this type of TUD, there are some requirements that must be met.

Business-to-Business Trusted User Domain Requirements

The following table describes the requirements to implement a solution to enable Company A and Company B to share rights-protected information between them. The following components are required in each company.

Solution Component Detail Description Detail Options

Active Directory Rights Management Services Server Components

RMS Domain

  • AD RMS Root Certification Cluster or Licensing Server

  • SQL Server 2008 or 2005 for AD RMS configuration, logging, and directory services databases

  • AD RMS that users will use to acquire AD RMS RACs (GICs), CLCs, PLs, and EULs

RMS Client Components

Users protecting and using AD RMS documents

  • External and internal Windows operating system client computers used to accessing rights-protected information

  • Microsoft RMS v1.0 SP2

  • Microsoft Rights Management Add-on for Internet Explorer 6 (and Internet Explorer 7)

  • Windows Vista

  • Windows 7

  • IRM Applications

Active Directory Components

Active Directory Forest

  • RMS Usage Restrictions

  • Provides authentication, Service Location, and group membership

ISA Server 2006 (optional)

Integrated Edge Security Gateway

  • ISA Server Firewall Web Publication and SSL Bridging capabilities

  • Provides application layer filtering and content inspection protecting from threats to the published AD RMS architecture

Hardware Security Module (HSM) (optional)

HSM for AD RMS Key Storage

  • HSM for AD RMS Key Storage

  • Protects AD RMS keys in tamper-proof resistant hardware

DNS Configuration for intranet and extranet pipelines

Define extranet or intranet server or cluster URLs and create DNS records

  • Create DNS configuration entries for Internet or Intranet server or cluster URLs. For scalability reasons, this record should be a cluster ALIAS instead of the physical server name.

  • Use FQDN instead NetBIOS names for both publication pipelines.

DNS configuration for revocation pipelines (optional)

Define Revocation Pipelines and create DNS records

  • Create DNS configuration entries for revocation. For scalability reasons, this record should be a cluster ALIAS instead of the physical server name.

  • Use FQDN instead NetBIOS names for this pipeline.

SSL certificates (optional – highly recommended)

SSL certificates are not required but are highly recommended for each AD RMS pipeline. They are required when you deploy with AD FS.

  • In order to prevent spoofing and password capture threats, SSL is used to encrypt the channel. This is not required but is highly recommended for internet (extranet) pipelines in which user credentials are sent using clear text.

  • Configure one SSL certificate for the AD RMS Web site.

Configuration of rrusted user domain trust

Required to allow information exchange between companies.

  • This must be configured in both AD RMS installations if rights-protected information will be exchanged both ways.

  • In each company, export the respective SLC and import it into the destination AD RMS domain.

Configuration Change on IIS Security

Because there is no Windows trust between both companies, the licensing issuance service must have anonymous access enabled.

  • Change Licensing.asmx file on each licensing server in each organization.

  • Provide EULs to users who belong to different AD RMS domains.

High Availability (recommended)

Because AD RMS is a service that will protect critical information, consider having high availability in all components

  • Multiple servers or resources on AD RMS clusters.

  • Multiple servers or resources for SQL Server

  • Multiple servers or resources for Active Directory authentication (domain controllers)

  • Multiple HSM (if they are used) for root certification cluster availability.

  • Non-single point of failure architecture design