Step 1: Configuring AD RMS to Work in an Extranet

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

In addition to the steps outlined in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide," you must also do the following:

  • Configure the extranet cluster URL in the Active Directory Rights Management Services console.

  • Export the server authentication certificate, including the private key, on ADRMS-SRV. This will be imported into the Personal certificate store on the ISA server (ISA-SRV).

In order for users who are not connected to your organization's internal network to consume rights-protected content, you must configure the AD RMS extranet cluster URLs. These URLs are included in the AD RMS client licensor certificate and published with all rights-protected content. These URLs should be an address that is available to all computers on the Internet.

Note

You must configure the extranet cluster URLs before you can rights-protect content. If you already have rights-protected content, the AD RMS-enabled client must download a new client licensor certificate that includes the extranet cluster URL.

Configuring the extranet cluster URLs is done through the Active Directory Rights Management Services console. You should follow these steps to accomplish this task:

To configure the AD RMS extranet cluster URLs

  1. Log on to ADRMS-SRV as CPANDL\ADRMSADMIN.

  2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Right-click ADRMS-SRV (Local), and then click Properties.

  5. Click the Cluster URLs tab, and then select the Extranet URLs check box.

  6. In the Licensing box, select https://, and then type adrms-srv.cpandl.com.

  7. In the Certification box, select https://, and then type adrms-srv.cpandl.com.

  8. Click OK.

Next, export the ADRMS-SRV server authentication certificate with its private key. This is required so that ISA-SRV can pass HTTPS requests from ADRMS-EXCLNT to the AD RMS cluster.

To export the ADRMS-SRV server authentication certificate with private key

  1. Click Start, type mmc.exe, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Click File, and then click Add/Remove Snap-in.

  4. Click Certificates, and then click Add.

  5. Select the Computer account option, and then click Next.

  6. Click Finish, and then click OK.

  7. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates in the console tree.

  8. Right-click ADRMS-SRV.cpandl.com, point to All Tasks, and then click Export.

  9. On the Welcome to the Certificate Export Wizard page, click Next.

  10. Select the Yes, export the private key option, and then click Next.

  11. On the Export File Format page, click Next, accepting the default selections.

  12. In the Password and Type and confirm password boxes, type the same strong password, and then click Next.

  13. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, and then click Next.

  14. Click Finish.

  15. Click OK, confirming that the export was successful.