Step 4: Configuring ADRMS-SRV to Work with AD FS

Applies To: Windows Server 2008, Windows Server 2008 R2

Windows Server 2008 includes the option to install identity federation support for AD RMS as a role service through Server Manager. This step of the guide covers the following tasks:

  • Grant security audit privileges to the AD RMS service account

  • Add the AD RMS extranet cluster URLs

  • Add the AD RMS Identity Federation Support role service

  • Enable Identity Federation Support in the Active Directory Rights Management Services console

Grant security audit privileges to the AD RMS service account

The AD RMS service account must be able to generate security audit events when using AD FS.

To grant security audit privileges to the AD RMS service account

  1. Log on to ADRMS-SRV with the cpandl\Administrator account.

  2. Click Start, point to Administrative Tools, and then click Local Security Policy.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Expand Local Policies, and then click User Rights Assignment.

  5. Double-click Generate security audits.

  6. Click Add User or Group.

  7. Type cpandl\adrmssrvc, and then click OK.

  8. Click OK to close the Generate security audits properties sheet.

Add the AD RMS extranet cluster URLs

AD RMS-enabled clients consuming rights-protected content through a federated trust use the AD RMS extranet cluster URLs to create a rights account certificate.

Warning

The AD RMS cluster URLs must be added before the Identity Federation Support role service is added by using Server Manager. If the cluster URLs are not added, you must edit the web.config files in the certificationexternal and licensingexternal directories manually.

To add the AD RMS extranet cluster URLs

  1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.

  2. Open the Active Directory Rights Management Services console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Right-click adrms-srv.cpandl.com, and then click Properties.

  5. Click the Cluster URLs tab, and then select the Extranet URLs check box.

  6. For Licensing, click https://, and then type adrms-srv.cpandl.com.

  7. For Certification, click https://, and then type adrms-srv.cpandl.com.

  8. Click OK.

Add the AD RMS Identity Federation Support role service

Next, add the Identity Federation Support role service through Server Manager.

Note

When adding Identity Federation Support as a role service for your AD RMS server, the account used to install and run Server Manager must be granted one of the following as permissions within your AD RMS database deployment:

  • db_owner on the DRMS_Config database

  • sysadmin on the SQL Server installation hosting your AD RMS databases

To add the Identity Federation Support Role Service

  1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the Roles Summary box, click Active Directory Rights Management Services, and then click Add Role Services.

  5. Select the Identity Federation Support check box. Ensure that the Claims-aware Agent is listed as a required role service, and then click Add Required Role Services.

  6. Click Next.

  7. On the Configure Identity Federation Support page, type adfs-resource.cpandl.com, click Validate, and then click Next.

  8. On the Introduction to AD FS page, click Next.

  9. On the AD FS Role Service page, confirm that Claims-aware Agent is selected, and then click Next.

  10. Click Install to add the Identity Federation Support role service to the ADRMS-SRV computer.

  11. Click Finish.

Enable Identity Federation Support in the Active Directory Rights Management Services console

Once enabled, Identity Federation Support allows user accounts to use credentials established by a federated trust relationship through Active Directory Federation Services (AD FS) as a basis for obtaining a rights account certificate from an AD RMS cluster.

To enable AD RMS identity federation support in the Active Directory Rights Management Services console

  1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.

  2. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the console tree, expand Trust Policies,and then click Federated Identity Support.

  5. In the Actions pane, click Enable Federated Identity Support.

  6. In the Actions pane, click Properties.

  7. On the Active Directory Federation Service Policies tab, in Federated Identity Certificate validity period, type 7. This is the number of days that federated rights account certificates are to be valid.

  8. Click OK.