Deploying Active Directory Rights Management Services with Active Directory Federation Services

 

Applies To: Windows 7, Windows 8.1, Windows Server 2012 R2, Windows 8

Use this step-by-step guide to help you deploy Active Directory Rights Management Services (AD RMS) with Active Directory Federation Services (AD FS) in a test environment, as a proof of concept. The instructions cover how to install and configure AD RMS to use AD FS to establish a federated trust that can be used over the Internet with another organization that has not deployed AD RMS. This solution lets this other organization consume content that your organization has protected by using AD RMS.

When you’ve completed the instructions in this guide, the final step includes a simple verification that somebody from the other organization can read but cannot print a document that you’ve protected. However, you can then go on to explore some of the additional capabilities of AD RMS by doing your own testing and additional configuration, and if required, plan a deployment on your production network.

Tip


If you are unfamiliar with AD RMS or AD FS: For technical support, use the TechNet forum for AD RMS: Active Directory Rights Management Services (On Premises)

Overview of this deployment:

The computers form two private intranets to represent two independent forests. In a production environment, these would be connected by using the Internet with a more complex network topology, but for the purposes of this test network, the two forests are connected by using a common hub or Layer 2 switch. This configuration makes it easier to deploy in a virtual server environment.

In addition, in a production environment, as a security best practice, these computers would be behind a firewall and the two AD FS servers would communicate by using Web Application Proxy, or a similar proxy technology. Communication between the two organizations uses HTTPS (typically, using TCP port 443). In our example, HTTP is also used for certificate revocation checking to the other organization’s CA. For more information about how to deploy Web Application Proxy, see Planning to Publish Applications Using Web Application Proxy.

Steps to complete this AD RMS with AD FS deployment

Use the following table as an overview and summary of the steps required for this deployment.

Before you start, make sure that you have seven computers (real or virtual) with access to the source files for the operating systems that are listed in the Applies to list at the beginning of this topic. The instructions are specific to the operating system versions listed and will not work with earlier versions. In addition, to verify the deployment (the final step), you will need access to the source files to install Microsoft Office (Office 2013, Office 2010, or Office 2007).

Deployment steps Summary
Step 1: Preparing the resource partner organization (Contoso) Creates the Contoso.com domain, with three servers and one Windows client computer. One server is the domain controller with DNS and an enterprise CA, another server is for SQL Server and AD RMS, and the third server is for AD FS.

Additionally: DNS is configured, the AD FS URL and RMS service URL is added to the Intranet zone for clients, and user accounts are created that will be used for this deployment.
Step 2: Preparing the account partner organization (Trey Research) Creates the Trey.net domain, with two servers and one Windows client computer. One server is the domain controller with DNS and an enterprise CA, and the second server is for AD FS.

Additionally: DNS is configured, the AD FS URL is added to the local intranet zone for clients, and user accounts are created that will be used for this deployment.
Step 3: Deploying the PKI certificates Deploys three PKI server certificates to support this test deployment and creates a PKI trust between the two internal enterprise CAs so that a server certificate that is issued by one organization is trusted by the other organization. If you purchase these certificates from a public CA, you can skip this step.
Step 4: Installing and configuring AD RMS in the resource partner organization (Contoso) Configures the member server for Contoso to run AD RMS with IIS and SQL Server. AD RMS is configured to support Identify Federation. Additional configuration is required for AD RMS.
Step 5: Installing and configuring AD FS for both organizations Installs and configures AD FS in both organizations. Because we’re using self-signed certificates rather than PKI certificates to sign the tokens, the token signing certificates are exported and imported to the computers that need to trust these certificates.

AD FS configuration:

- Two relying party trusts are created in the resource organization (one for RMS certification and the other for RMS licensing) for the Active Directory store with two claim rules for LDAP attributes and email addresses.
- A claims provider trust is created in the resource organization with one claim rule for email.
- A relying party trust is created in the account organization (for RMS certification) for the Active Directory store with one claim rule for LDAP attributes.
Step 6: Preparing the Trey Research client for AD RMS: Configuring the Federation Home Realm Configures the client in the Trey Research organization so that Office uses the federation home realm for AD FS.
Step 7: Verifying the AD RMS and AD FS deployment Tests AD RMS and AD FS by protecting a Word document in the Contoso organization such that a user in the Trey Research organization can open the document but as read-only.

Step 1: Preparing the resource partner organization (Contoso)

Summary of computer configuration:

Host name IP address Roles in the resource forest
ContosoDC 192.168.111.1/24 Active Directory Domain Services with DNS

Active Directory Certificate Services
ContosoRMS 192.168.111.2/24 Member server onto which we’ll later install AD RMS.
ContosoFS 192.168.111.3/24 Active Directory Federation Services
ContosoClient 192.168.111.10/24 Client to protect content

Use the following steps to prepare the resource forest and domain for AD RMS and AD FS.

Install and configure the domain (Contoso.com)
  1. Install a full version of Windows Server that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 32 GB of available hard disk space.

    Configure this computer as follows:

    • Computer name: ContosoDC

    • IP address of 192.168.111.1, subnet mask of 255.255.255.0, and preferred DNS server of 127.0.0.1.

  2. Add the Active Directory Domain Services role and make the computer a domain controller with default settings except for the following configuration:

    • New forest with root domain name of contoso.com
  3. Configure DNS for the following:

    • Resolve names for Trey Research (trey.net): Forwarder of 192.168.111.100

    • For AD RMS: New host (A) record with name of rmsservice and IP address of 192.168.111.2 (associated PTR record is optional)

    • For AD FS: New host (A) record with name of ContosoADFS and IP address of 192.168.111.3 (associated PTR record is optional)

  4. Add the Active Directory Certificate Services role with the following configuration:

    • Certification Authority as an Enterprise CA, root CA named ContosoRootCA. Accept all installation defaults except for the following:

      1. Add the Certification Authority Web Enrollment role service. This provides a quick and convenient method to publish the certificate revocation list (CRL) over HTTP so that it’s accessible to computers in the Trey Research organization.

      2. After the install, configure the CA properties, Extension tab: Make sure that CRL Distribution Point (CDP) is selected, select the http:// entry in the list box, and then select Include in CRLs. Clients use this to find Delta CRL locationsand Include in the CDP extension of issued certificates. These two options are required so that computers in the Trey Research organization can locate this CRL for the issuing CA in the Contoso organization. Restart Active Directory Certificate Services when prompted.

    Note


    In a production environment, do not use this configuration, which increases the attack surface. Instead, install the CA on a separate server from the domain controller, and publish the CRL on a separate web server. The configuration that we use here reduces the number of computers required and the number of configuration steps required to support this test network. If you purchase PKI server certificates, you do not even need to install the certification authority role.

  5. For all clients, add the URL for the local federation server and the RMS service to the local intranet zone, by configuring the following Group Policy for all client computers (for example, in our test environment, you can edit the Default Domain Policy, or create a new Group Policy object that’s linked to the domain):

    • Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List:

      • Enable and add ContosoADFS.contoso.com with the value of 1.

      • Enable and add RMSService.contoso.com with the value of 1.

    This setting enables Windows integrated authentication, so that users are not prompted for their credentials.

  6. Add the following user accounts to the contoso.com domain, with the additional following configuration choices:

    • Clear the User must change password at next logon check box.

    • Select Password never expires.

    Account name User logon name Email address Make member of domain group
    AdrmsSvc AdrmsSvc Not needed Default
    AdfsAdmin AdfsAdmin Not needed Default
    AdrmsAdmin AdrmsAdmin Not needed Enterprise Admins¹
    Nicole Holliday nhollida nhollida@contoso.com Default

    ¹After you have installed SQL Server and AD RMS, you can remove this account from the Enterprise Admins group as a security best practice so that the account does not have more privileges than it needs. The only time you would need to add the account back to the Enterprise Admins group for AD RMS is if you have to make a change to the Service Connection Point, which is not required for this scenario.

Install a server for AD RMS (ContosoRMS)
  1. Install a full version of Windows Server that is listed in the Applies to list at the beginning of this topic. We recommend 4 GB of RAM, and 32 GB of available hard disk space.

    Configure this computer as follows:

    • Computer name: ContosoRMS

    • IP address of 192.168.111.2, subnet mask of 255.255.255.0, and preferred DNS server of 192.168.111.1.

  2. Join the computer to the Contoso.com domain, and then add the CONTOSO\AdrmsAdmin account to the local Administrators group.

We’ll configure this server for AD RMS later.

Install and configure a server for AD FS (ContosoFS)
  1. Install a full version of Windows Server that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 32 GB of available hard disk space.

    Configure this computer as follows:

    • Computer name: ContosoFS

    • IP address of 192.168.111.3, subnet mask of 255.255.255.0 and preferred DNS server of 192.168.111.1.

  2. Join this computer to the contoso.com domain.

We’ll configure this server for AD FS later.

Install and configure a client computer for AD RMS (ContosoClient)
  1. Install a client operating system that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 20 GB of available hard disk space.

    Configure this computer as follows:

    • Computer name: ContosoClient

    • Local account, user name: LocalAdmin

    • IP address of 192.168.111.10, subnet mask of 255.255.255.0, and preferred DNS server of 192.168.111.1.

  2. Join this computer to the contoso.com domain.

  3. Sign in on the computer as ContosoClient\LocalAdmin, and install Microsoft Office, so that this computer can later use Word to test the deployment. Make sure that you install the latest service pack available for the version of Office that you install.

    Although you can use Office 2013, Office 2010, or Office 2007, the verification steps use Office 2013.

Step 2: Preparing the account partner organization (Trey Research)

Summary of computer configuration:

Host name IP address Roles in the account forest
TreyDC 192.168.111.100/24 Active Directory Domain Services with DNS

Active Directory Certificate Services
TreyFS 192.168.111.101/24 Active Directory Federation Services
TreyClient 192.168.111.110/24 Client to consume protected content
Install and configure the domain (Trey.net)
  1. Install a full version of Windows Server that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 32 GB of available hard disk space.

    Configure this computer as follows:

    • Computer name: TreyDC

    • IP address of 192.168.111.100, subnet mask of 255.255.255.0, and preferred DNS server of 127.0.0.1.

  2. Add the Active Directory Domain Services role and make the computer a domain controller with default settings except for the following configuration:

    • New forest with root domain name of trey.net
  3. Configure DNS for the following:

    • Resolve names for Contoso (Contoso.com): Forwarder of 192.168.111.1

    • For AD FS: New host (A) record with name of TreyADFS and IP address of 192.168.111.101 (associated PTR record is optional)

  4. Add the Active Directory Certificate Services role with the following configuration:

    • Certification Authority as an Enterprise CA, root CA named TreyRootCA. Accept all installation defaults except for the following:

      1. Add the Certification Authority Web Enrollment role service. This provides a quick and convenient method to publish the certificate revocation list (CRL) over HTTP so that it’s accessible to computers in the Contoso organization.

      2. After the install, configure the CA properties, Extension tab: Make sure that CRL Distribution Point (CDP) is selected, select the http:// entry in the list box, and then select Include in CRLs. Clients use this to find Delta CRL locationsand Include in the CDP extension of issued certificates. These two options are required so that computers in the Contoso organization can locate the CRL for this issuing CA in the Trey Research organization.

    Note


    In a production environment, do not use this configuration, which increases the attack surface. Instead, install the CA on a separate server from the domain controller, and publish the CRL on a separate web server. The configuration that we use here reduces the number of computers required and the number of configuration steps required to support this test network. If you purchase PKI server certificates, you do not even need to install the certification authority role.

  5. For all clients, add the URL for the local federation server to the local intranet zone, by configuring the following Group Policy for all client computers (for example, in our test environment, you can edit the Default Domain Policy, or create a new Group Policy object that’s linked to the domain):

    • Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List:

      • Enable and add TreyADFS.trey.net with the value of 1.

    This setting enables Windows integrated authentication, so that users are not prompted for their credentials.

  6. Add the following user accounts to the trey.net domain, with the additional following configuration choices:

    • Clear the User must change password at next logon check box.

    • Select Password never expires.

    Account name User logon name Email address Make member of domain group
    AdfsAdmin AdfsAdmin Not needed Default
    Terence Philip tphilip tphilip@trey.net Default
Install and configure a server for AD FS (TreyFS)
  1. Install a full version of Windows Server that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 32 GB of available hard disk space.

    Configure this computer as follows:

    • Computer name: TreyFS

    • IP address of 192.168.111.101, subnet mask of 255.255.255.0 and preferred DNS server of 192.168.111.100.

  2. Join this computer to the trey.net domain.

We’ll configure this server for AD FS later.

Install and configure a client computer for AD RMS (TreyClient)
  1. Install a client operating system that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 20 GB of available hard disk space.

    • Computer name: TreyClient

    • Local account, user name: LocalAdmin

    • IP address of 192.168.111.110, subnet mask of 255.255.255.0, and preferred DNS server of 192.168.111.100.

  2. Join this computer to the trey.net domain.

  3. Sign in on the computer as TreyClient\LocalAdmin, and install Microsoft Office, so that this computer can later use Microsoft Word to test the deployment. Make sure that you install the latest service pack available for the version of Office that you install.

    Although you can use Office 2013, Office 2010, or Office 2007, the verification steps use Office 2013.

Step 3: Deploying the PKI certificates

To configure AD RMS with AD FS, you need PKI server certificates for the following servers:

  • The server (or servers) running AD RMS with Identity Federation Support. In our deployment, this is the ContosoRMS.contoso.com server.

  • The server running AD FS in the resource organization. In our deployment, this is the ContosoADFS.contoso.com server.

  • The server running AD FS in an account organization. In our deployment, this is the TreyADFS.trey.net server.

For our deployment, this certificate has the following requirements:

  • Subject name: Common name of <service name>

    For our deployment, this name will be:

    • For the RMS service: RMSService.contoso.com

    • For the federation service in the resource organization: ContosoADFS.contoso.com

    • For the federation service in the account organization: TreyADFS.trey.net

  • Extended Key Usage: Server authentication (object identifier 1.3.6.1.5.5.7.3.1)

  • Key length: Minimum of 1024 bits but 2048 bits is recommended

  • Hash algorithm: Minimum of SHA-1

  • Private key

If you purchase the certificates and specify these requirements, follow the instructions from the certification authority provider to install the certificates on the servers. This is the most likely scenario for a production environment. To use purchased certificates in our testing environment, the computers must have access to the Internet so that they can access the certificate revocation list (CRL) for the issuing CA. If these conditions are met, go to the next step, Step 4: Installing and configuring AD RMS in the resource partner organization (Contoso).

However, you can also deploy these certificates yourself by using Active Directory Certificate Services, which is why this step-by-step deployment includes installing this server role in each organization. If you want to test AD RMS with AD FS and do not want to purchase the PKI certificates, use the following procedures in this step.

The first procedure is to republish the certificate revocation list (CRL) for the issuing CAs to make sure that computers in the other organization can access it by using HTTP. The next procedure is to copy and modify the Web Server certificate template on the CA for Contoso, and the CA for Trey Research. Then, the certificate template for Contoso is used to request a certificate for ContosoRMS and a certificate for ContosoFS. You must request these certificate separately because they need a specific value in the certificate subject that you supply when you request the certificate. Finally, the certificate template for Trey Research is used to request a certificate for TreyFS, also with a specific value in the certificate subject.

Republish the certificate revocation list (CRL)
  1. Sign in on ContosoDC as CONTOSO\Administrator, and start the Certification Authority console.

  2. In the console, right-click Revoked Certificates, click All Tasks, and then click Publish.

  3. In the Publish CRL dialog box, keep the default option of New CRL, and then click OK.

  4. Do not close Certification Authority console.

Repeat this procedure to republish the CRL on TreyDC.

The CRL is now available over HTTP for computers outside the forest.

Modify the Web Server certificate template
  1. Back on ContosoDC, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

  2. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

  3. In the Properties of New Template dialog box, on the General tab, enter a template display name to generate the web certificates that will be used for this AD RMS and AD FS deployment, such as AD RMS and AD FS Web Server Certificate.

  4. Click the Subject Name tab, and confirm that Supply in the request is selected. This is required so that we can supply the service name when we request the certificate.

  5. Click the Security tab, click Add.

  6. Click Object Types and in the Object Types dialog box, select Computers, and click OK.

  7. Enter or select the computer name of ContosoRMS, and then select Enroll in the Allow column for this account, and do not clear the Read permission.

  8. Repeat the preceding step for the computer name of ContosoFS.

  9. Click OK, and close the Certificate Templates Console.

  10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  11. In the Enable Certificate Templates dialog box, select the new template that you have just created, and then click OK.

  12. Close the Certification Authority console.

Repeat this procedure to create a new certificate template on TreyDC, granting Enroll permission to the TreyFS computer.

The CA is now ready to accept certificate requests from the servers.

Request and install the server certificate
  1. Sign in on ContosoRMS with CONTOSO\Administrator.

  2. Load the Certificates snap-in for the Computer account, Local computer.

  3. Expand Certificates (Local Computer), and then click Personal.

  4. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  5. On the Before You Begin page, click Next.

  6. On the Select Certificate Enrollment Policy page, click Next.

  7. On the Request Certificates page, identify the certificate template that you created by using the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.

  8. In the Certificate Properties dialog box, in the Subject tab, for the Subject name section:

    1. Change the Type: from Full DN to Common name.

    2. In the Value box, type: RMSService.contoso.com

    3. Click Add.

  9. Click OK to close the Certificate Properties dialog box.

  10. Back in the Request Certificates page, select the certificate template that you created (for example, AD RMS and AD FS Web Server Certificate), and then click Enroll.

  11. Wait for the certificate request to complete, and then click Finish.

Sign in on ContosoFS and repeat this procedure, specifying the common name of ContosoADFS.contoso.com for the subject value.

Then sign in on TreyFS and repeat this procedure, specifying the common name of TreyADFS.trey.net for the subject value.

Now that the server certificates are installed, you need to establish a PKI trust between the two organizations. You do this by exporting the root CA from one organization and adding it to the trusted root CA store for the other organization.

Establish a PKI trust
  1. In the Contoso.com domain, sign in on the domain controller (ContosoDC) as CONTOSO\Administrator, and export the CA root certificate by doing the following:

    1. Load the Certificates MMC snap-in for the Computer account.

    2. Locate and export the CA root certificate to a .cer file format that you save to a USB thumb drive. Do not select the option to export the private key.

      Tip


      You can identify the correct certificate by checking the certificate properties: On the General tab, it lists All issuance policies and All application policies.

  2. Repeat step 1 for the Trey Research domain.

  3. In the Contoso.com domain, sign in on the domain controller (ContosoDC) as CONTOSO\Administrator and configure the following Group Policy for the domain (for example, edit the Default Domain Policy):

    • Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies: Trusted Root Certification Authorities

      • Import the exported root CA certificate for the Trey Research forest.
  4. In the Trey.net domain, sign in on the domain controller (TreyDC) as TREY\Administrator and configure the following Group Policy for the domain (for example, edit the Default Domain Policy):

    • Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies: Trusted Root Certification Authorities

      • Import the exported root CA certificate for the Contoso forest.
Optional verification (repeated later)
  • Sign in on ContosoDC as CONTOSO\Administrator and confirm the status of the certificate revocation list (CRL) by using Enterprise PKI (PKIView):

    1. From search or Run, type Pkiview.msc.

    2. In the console, click ContosoRootCA.

    3. In the results pane, confirm that that there is a location that starts with http:// and that its status is OK.

      This is the CRL that computers in the other organization will use for certificates that this CA issues, because they cannot use the default CRL that uses an LDAP location.

    4. Sign in on TreyDC as TREY\Administrator and repeat steps 1 through 3.

    To extend the CRL verification to make sure that the CRL is accessible from the other organization:

    1. Copy the HTTP URL from PKIView and paste it into a browser on a computer in the other organization. You should see a file download dialog box, asking you whether you want to open or save the file.

    2. Click Open, to see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer should be the CA server from the other organization.

    To extend the CRL verification to confirm the certificate chain and certificate revocation status from the CRL, run the certutil -v -urlfetch -verify [certificate_file] command from the TreyClient computer:

    • Example: certutil -v -urlfetch -verify E:\ContosoRMS.cer

    • The [certificate_file] is the server certificate that you deployed on the AD RMS server (ContosoRMS), exported to a .cer file and saved to a USB thumb drive that you then copy to TreyClient.

    • Examine the output. It’s expected to see errors for the LDAP URL, because the TreyClient cannot use LDAP to communicate with the CA in Contoso. But you should see verification for the HTTP URL. The end of the command output should display Leaf certificate revocation check passed.

    Repeat this test by exporting the certificate from TreyFS and running the same command on the ContosoClient computer.

Now that the certificates are installed, you’re ready to install and configure AD RMS.

Step 4: Installing and configuring AD RMS in the resource partner organization (Contoso)

Summary of computer configuration:

Host name IP address Roles in the resource forest
ContosoRMS 192.168.111.2/24 SQL Server

Web Server (IIS)

Active Directory Rights Management:

- Active Directory Rights Management Server
- Identity Federation Support

Note


In this section, we install SQL Server on the same server that runs AD RMS. You wouldn’t usually do this on a production network, but this configuration reduces the number of configuration steps (and computers needed) for a testing environment. During the SQL Server installation process, Setup downloads and installs the .NET Framework 3.5 SP1. If you do not have Internet access from this computer, you can install it as a feature before you install SQL Server. To do this, follow the instructions from Enable .NET Framework 3.5 by using the Add Roles and Features Wizard (Windows Server 2012 only).

Use the following procedures to first install SQL Server, then install and configure AD RMS, and then prepare for AD FS.

Install SQL Server 2012 on ContosoRMS
  1. Sign in on ContosoRMS as CONTOSO\AdrmsAdmin, and run the setup program for SQL Server (Standard Edition or Enterprise Edition) with the following options:

    • New SQL Server stand-alone installation

    • Install the Setup support rules

    • On the Setup Role page, select SQL Server Feature Installation, and then select the following features on the Feature Selection page:

      1. Instance Features: Database Engine Services

      2. Instance Features: Reporting Services - Native

      3. Shared Features: Management Tools – Basic and Management Tools - Complete

    • On the Instance Configuration page, keep all default settings (installs a default instance).

    • On the Server Configuration page, accept all defaults.

    • On the Database Engine Configuration page, select the following:

      1. Server Configuration tab: For the Authentication Mode, keep the default of Windows authentication mode and for Specify SQL Server administrators, click Add Current User

      2. Data Directories and FILESTREAM tabs: No changes.

    • On the Reporting Services Configuration page, for Reporting Services Native Mode, keep the default of Install and configure.

    • On the Error Reporting page, do not select the checkbox to send error reports.

  2. Complete the installation and restart the computer if prompted to do so.

  3. To verify installation or to help troubleshoot any installation problems, see View and Read SQL Server Setup Log Files.

For full instructions to install SQL Server, see Install SQL Server 2012 from the Installation Wizard (Setup).

Install the AD RMS role on ContosoRMS
  1. Still signed in as CONTOSO\AdrmsAdmin, use Server Manager to install the Active Directory Rights Management Services role:

    • Select the following role services: Active Directory Rights Management Server and Identity Federation Support.
  2. Complete the installation and restart the computer if prompted to do so.

Now that AD RMS is installed, you must configure it.

Configure a new AD RMS root cluster on ContosoRMS
  1. In Server Manager, click the Notifications icon and then, for the task event Configuration required for Active Directory Rights Management Services at ContosoRMS, click Perform additional configuration.

  2. In the AD RMS Configuration wizard, specify the following options:

    • On the Create or Join an AD RMS Cluster page: Select Create a new AD RMS root cluster.

    • On the Configuration Database page: Select Specify a database server and a database instance and then select ContosoRMS for the server, and DefaultInstance for the Database Instance.

    • On the Service Account page: Specify Contoso\AdrmsSvc.

    • On the Cryptographic Mode page: Select Cryptographic Mode 2.

    • On the Cluster Key Storage page: Select Use AD RMS centrally managed key storage.

    • On the Cluster Key Password page: Specify a strong password.

    • On the Cluster Web Site page: Select Default Web Site.

    • On the Cluster Address page: Select Use an SSL-encrypted connection and type RMSService.contoso.com.

    • On the Server Certificate page: Select Choose an existing certificate for SSL encryption, and browse to select the PKI certificate that you installed previously.

    • On the Licensor Certificate page: Accept the default of ContosoRMS.

    • On the SCP Registration page: Accept the default of Register the SCP now.

    • On the Identify Identity Federation Support page: Type ContosoADFS.contoso.com.

      Important


      For this value, we recommend that you keep the casing exactly as it appears in the AD FS server certificate. For example, in our guide, this is ContosoADFS.contoso.com and not contosoadfs.contoso.com.

    • Sign off and then sign in again, which updates the security token of the signed-in user account. This is required because the user account that is signed in, is automatically made a member of the AD RMS Enterprise Administrators local group. Membership in this group grants permissions to administer AD RMS.

    • Remove CONTOSO\AdrmsAdmin from the Enterprise Admins global group for the forest.

  3. Optional verification (repeated later): To confirm that the URLs belonging to the RMS service are reachable inside Contoso:

    1. Sign in on ContosoClient as CONTOSO\nhollida.

    2. Run gpupdate /force to ensure that all Group Policy settings have been applied.

    3. Specify the following URL in Internet Explorer:

      This displays a web page that has the title License and introduction text of The following operations are supported.

    A successful connection verifies that ContosoClient can communicate with the RMS service.

AD RMS is now installed and configured as an AD RMS root cluster. You must now configure the local security policy so that the AD RMS service account can generate security audit events for AD FS.

Grant security audit privileges to the AD RMS service account
  1. Sign in to ContosoRMS with the CONTOSO\Administrator account.

  2. Edit the Local Security Policy > Local Policies > User Rights Assignment > Generate security audits:

    • Add CONTOSO\AdrmsSvc
Configure AD RMS: Add the AD RMS extranet cluster URLs
  1. Still signed in on ContosoRMS with the CONTOSO\Administrator account, open the Active Directory Rights Management Services console.

    If you see a security alert warning about the name of the certificate, you can click Yes to proceed to acknowledge the name mismatch between the server name and the name in the certificate subject. This name mismatch here doesn’t affect the operation of AD RMS with AD FS.

  2. Right-click the ContosoRMS computer name, and then click Properties.

  3. Click the Cluster URLs tab, select the Extranet URLs check box, specify the following, and then click OK:

    • Licensing: https:// and type RMSService.contoso.com

    • Certification: https:// and type RMSService.contoso.com

Configure AD RMS: Enable Identity Federation Support
  1. Still in the Active Directory Rights Management Services console, expand the AD RMS cluster, expand Trust Policies, and then click Federated Identity Support.

  2. In the Actions pane, click Enable Federated Identity Support.

  3. In the Actions pane, click Properties.

  4. On the Active Directory Federation Service Policies tab, for the Federated Identity Certificate validity period, type 7, and then click OK. This is the number of days that federated rights account certificates are valid.

AD RMS is now configured and ready for AD FS.

Step 5: Installing and configuring AD FS for both organizations

This steps installs and configures AD FS, first for the resource organization (Contoso), and then for the account organization (Trey Research).

Install the AD FS role on ContosoFS
  1. Sign in on ContosoFS as CONTOSO\Administrator, and use Server Manager to install the Active Directory Federation Services role:

    • You do not have to add any specific features for this deployment. Instead, keep the default selections.
  2. Complete the installation.

Note


For servers that are not connected to the Internet or are behind a proxy server: If the AD FS service fails to start with Application log errors 352, 102, or 220 after the computer is restarted, check that the following registry value exists and if not, manually add it:

Configure the Federation Service role on ContosoFS
  1. In Server Manager, click the Notifications icon and then click Configure the federation service on the server.

  2. In the Active Directory Federation Service Configuration Wizard, specify the following options:

    • On the Welcome page: Select Create the first federation server in a federation server farm.

    • On the Connect to AD DS page: Keep the default account.

    • On the Specify Service Properties page:

      • Use the drop-down box to select the previously installed certificate.

      • Federation Service Name: ContosoADFS.contoso.com

      • Federation Service Display Name: Contoso Corporation

    • On the Specify Service Account page: Select Use an existing domain user account or group Managed Service Account and specify CONTOSO\AdfsAdmin.

      For our testing environment, we’re using a domain user account for a simplified deployment. In a production environment, it’s recommended to use a group Managed Service Account so that you can benefit from capabilities such as automatic password management and a single identity if you have more than one AD FS server. For more information about group Managed Service Accounts, see Group Managed Service Accounts Overview.

    • On the Specify Database page: You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the location and the instance name of Microsoft SQL Server. For this testing scenario, you can select Create a database on this server using Windows Internal Database.

      Note


      If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and later versions, including SQL Server 2012. For more information about whether to use Windows Internal Database or SQL Server, see the “Determining which type of AD FS configuration database to use” section in the Plan Your AD FS Deployment Topology topic from the AD FS Design Guide in Windows Server 2012 R2.

That completes the AD FS installation for Contoso.

Optional verification (repeated later):

  1. Sign in on TreyFS as TREY\Administrator and run Internet Explorer.

  2. Connect to the following URL: https://ContosoADFS.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

    There should be no certificate warnings and a long text should be displayed in the browser window.

Install the AD FS role on TreyFS
  1. Still signed in as TREY\Administrator, use Server Manager to install the Active Directory Federation Services role:

    • You do not have to add any specific features for this deployment. Instead, keep the default selections.
  2. Complete the installation.

Note


For servers that are not connected to the Internet or are behind a proxy server: If the AD FS service fails to start with Application log errors 352, 102, or 220 after the computer is restarted, check that the following registry value exists and if not, manually add it:

Configure the Federation Service role on TreyFS
  1. In Server Manager, click the Notifications icon and then click Configure the federation service on the server.

  2. In the Active Directory Federation Service Configuration Wizard, specify the following options:

    • On the Welcome page: Select Create the first federation server in a federation server farm.

    • On the Connect to AD DS page: Keep the default account.

    • On the Specify Service Properties page:

      • Use the drop-down box to select the previously installed certificate.

      • Federation Service Name: TreyADFS.trey.net

      • Federation Service Display Name: Trey Research

      • On the Specify Service Account page: Select Use an existing domain user account or group Managed Service Account and specify TREY\AdfsAdmin.

      • On the Specify Database page: You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the location and the instance name of Microsoft SQL Server. For this testing scenario, you can select Create a database on this server using Windows Internal Database.

        Note


        If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and later versions, including SQL Server 2012. For more information about whether to use Windows Internal Database or SQL Server, see the “Determining which type of AD FS configuration database to use” section in the Plan Your AD FS Deployment Topology topic from the AD FS Design Guide in Windows Server 2012 R2.

That completes the AD FS installation for Trey Research. The two organizations are now ready to exchange certificates for signing and encryption. The procedures in the next section are necessary when you use self-signed certificates for token signing, instead of using PKI certificates from a well-known external certification authority.

Optional verification (repeated later):

  1. Sign in on ContosoFS as CONTOSO\Administrator and run Internet Explorer.

  2. Connect to the following URL: https://TreyADFS.trey.net/FederationMetadata/2007-06/FederationMetadata.xml

    There should be no certificate warnings and a long text should be displayed in the browser window.

Export and import the token signing certificates from each federation server
  1. Still signed in on TreyFS as TREY\Administrator, open the Active Directory Federation Services console.

  2. Navigate to AD FS > Service > Certificates.

  3. In the results pane, double-click the Token Signing certificate.

  4. On the Details tab, click Copy to File and use the wizard to copy the certificate without exporting the private key, to a DER encoded binary X.509 (.CER) file.

  5. Save or move the file to a thumb drive. Make sure you choose a file name to help identify which organization the token signing certificate is from.

  6. Sign in on ContosoFS as CONTOSO\Administrator and open the Active Directory Federation Services console. Then, repeat steps 2 through 5, so that you have a second file on the thumb drive.

  7. Still signed in on ContosoFS as CONTOSO\Administrator, load the Certificates MMC snap-in for the Computer account.

  8. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied token signing certificate file from TreyFS.

  9. Sign in on TreyFS as TREY\Administrator, load the Certificates MMC snap-in for the Computer account.

  10. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied token signing certificate file from ContosoFS.

  11. Finally, sign in on ContosoRMS as CONTOSO\Administrator, load the Certificates MMC snap-in for the Computer account.

  12. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied token signing certificate file from ContosoFS.

Create 2 relying party trusts on ContosoFS
  1. Sign in on ContosoFS as CONTOSO\Administrator, and load the AD FS Management console.

  2. Expand Trust Relationships, and click Relying Party Trusts.

  3. From the Actions pane, click Add Relying Party Trust to start the Add Relying Party Trust Wizard.

  4. On the Select Data Source page, select Enter data about the relying party manually.

  5. On the Specify Display Name page, type a name, such as AD RMS Certification.

  6. On the Choose Profile page, select AD FS profile. This option is appropriate because it is supported by the version of AD RMS we’re using, and offers the latest features.

    If the server running AD RMS was running an operating system version earlier than Windows Server 2012 R2, then you would choose AD FS 1.0 and 1.1 profile, and later, configure different claims. However, this configuration is outside the scope of this document.

  7. On the Configure Certificate page, do not browse to a certificate for token encryption, but just click Next. This generates a self-signed certificate that is suitable even for production networks. However, if your organization wants to use a PKI certificate, this is where you would select a previously installed PKI certificate (no specific extended key usage required, and no specific value required in the certificate subject or subject alternate name).

  8. On the Configure URL page, select Enable support for the WS-Federation Passive protocol, and type the following for the URL: https://RMSService.contoso.com/\_wmcs/certificationexternal

    Important


    Make sure that you include the trailing “/”. The configuration will not work without this and the symptoms are that the verification tests pass but the Word document will prompt for authentication, and then fail to open.

  9. On the Configure Identifiers page, you should see the following identifier: https://RMSService.contoso.com/\_wmcs/certificationexternal

  10. On the Configure Multi-factor Authentication Now page, select I do not want to specify multi-factor authentication setting for this relying party trust at this time.

  11. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.

  12. On the Ready to Add Trust page, click Next.

  13. On the Finish page, select the option to open the Edit Claims dialog box, and click Close.

  14. In the Edit Claims Rules dialog box, add 2 claim rules:

    1. Claim rule 1—LDAP attributes:

      • On the Issuance Transform Rules tab, click Add Rule.

      • On the Select Rule Template page, select Send LDAP attributes as Claims.

      • On the Configure Rule page, specify the name as LDAP claims for AD RMS. For the Attribute store, select Active Directory.

      • For the Mapping of LDAP attributes to outgoing claim types section, specify the following, then click Finish:

        LDAP attribute Outgoing Claim Type
        E-Mail-Addresses E-Mail Address
    2. Claim rule 2—Email:

      • On the Issuance Transform Rules tab, click Add Rule.

      • On the Select Rule Template page, select Pass Through or Filter an Incoming Claim.

      • On the Configure Rule page, specify the name as Email claims for AD RMS.

      • For the Incoming claim type field, specify E-Mail Address, select Pass through only claim values that match a specific email suffix, and then, for the Email suffix value, specify trey.net.

        Note


        This configuration filters helps to prevent somebody from the account organization (Trey.net in our example) from issuing forged claims (impersonation) to access resources in the resource organization (Contoso.com in our example). If the account organization uses more than one email suffix (for example, as a result of a merger), you can create additional email rules, each one specifying the email suffix that you want to allow. For example, you create a new email claim rule that has the same configuration as this one, except that you specify treyresearch.net or fabrikam.com for the Email suffix value. Alternatively, use the instructions from this TechNet wiki article to use RegEx for the condition statement in the claims rule language: AD FS 2.0: Using RegEx in the Claims Rule Language When a user from the partner organization tries to authenticate by using an email suffix that isn’t specified in these email claim rules, the user sees the following error message: An error occurred while trying to contact the Active Directory Rights Management Services server. Try again later or contact your administrator.

      • Click Finish.

  15. Click OK to close the Edit Claims Rules dialog box.

Now repeat steps 3-15 in this procedure (including the 2 claim rules) to create a second relying party trust that you name AD RMS Licensing. The only difference in the configuration is the URL and identifier (steps 7 and 8):

Add a claims provider trust and claim rules to ContosoADFS
  1. Still signed in on ContosoFS as CONTOSO\Administrator, and in the AD FS Management console, make sure that Trust Relationships is expanded, click Claims Provider Trusts, and then, from the Actions pane, click Add Claims Provider Trust to start the Add Claims Provider Trust Wizard.

  2. On the Select Data Source page, click Import data about the claims provider published online or on a local network and type https://TreyADFS.trey.net/FederationMetadata/2007-06/FederationMetadata.xml.

  3. On the Specify Display Name page, specify a display name such as Trey AD FS.

  4. On the Ready to Add Trust page, click Next.

  5. On the Finish page, select the option to open the Edit Claims dialog box, and click Close.

  6. In the Edit Claim Rules dialog box, add 1 claim rule:

    • On the Acceptance Transform Rules tab, click Add Rule.

    • On the Select Rule Template page, select Pass Through or Filter an Incoming Claim.

    • On the Configure Rule page, specify the name as Pass through email.

    • For the Incoming claim type field, specify E-Mail Address, select Pass through only claim values that match a specific email suffix, and then, for the Email suffix value, specify trey.net.

      Note


      This configuration filters helps to prevent somebody from the account organization (Trey.net in our example) from issuing forged claims (impersonation) to access resources in the resource organization (Contoso.com in our example). If the account organization uses more than one email suffix (for example, as a result of a merger), you can create additional email rules, each one specifying the email suffix that you want to allow. For example, you create a new email claim rule that has the same configuration as this one, except that you specify treyresearch.net or fabrikam.com for the Email suffix value. Alternatively, use the instructions from this TechNet wiki article to use RegEx for the condition statement in the claims rule language: AD FS 2.0: Using RegEx in the Claims Rule Language When a user from the partner organization tries to authenticate by using an email suffix that isn’t specified in these email claim rules, the user sees the following error message: An error occurred while trying to contact the Active Directory Rights Management Services server. Try again later or contact your administrator.

    • Click Finish.

Create a relying party trust on TreyFS
  1. Sign in on TreyFS as TREY\Administrator, and start the AD FS Management console.

  2. Expand Trust Relationships, click Relying Party Trusts, and then, from the Actions pane, click Add Relying Party Trust to start the Add Relying Party Trust Wizard.

  3. On the Select Data Source page, click Import data about the relying party published online or on a local network and type https://contosoadfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml.

  4. On the Specify Display Name page, type a name such as Contoso AD FS, and then click Next.

  5. On the Configure Multi-factor Authentication Now page, select I do not want to specify multi-factor authentication setting for this relying party trust at this time.

  6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.

  7. On the Ready to Add Trust page, click Next.

  8. On the Finish page, select the option to open the Edit Claims dialog box, and click Close.

  9. In the Edit Claims dialog box, add 1 claim rule:

    • On the Issuance Transform Rules tab, click Add Rule.

    • On the Select Rule Template page, select Send LDAP attributes as Claims.

    • On the Configure Rule page, specify the name as Claims for AD FS. For the Attribute store, select Active Directory.

    • For the Mapping of LDAP attributes to outgoing claim types section, specify the following, then click Finish, and then click OK to close the Edit Claim Rules dialog box:

      LDAP attribute Outgoing Claim Type
      E-Mail-Addresses E-mail Address
Checkpoint verifications
  1. Sign in on ContosoDC as CONTOSO\Administrator and confirm the status of the certificate revocation list (CRL) by using Enterprise PKI (PKIView):

    1. From search or Run, type Pkiview.msc.

    2. In the console, click ContosoRootCA.

    3. In the results pane, confirm that that there is a location that starts with http:// and that its status is OK.

      This is the CRL that computers in the other organization will use for certificates that this CA issues, because they cannot use the default CRL that uses an LDAP location.

    4. Sign in on TreyDC as TREY\Administrator and repeat steps 1 through 3.

    To extend the CRL verification to make sure that the CRL is accessible from the other organization:

    1. Copy the HTTP URL from PKIView and paste it into a browser on a computer in the other organization. You should see a file download dialog box, asking you whether you want to open or save the file.

    2. Click Open, to see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer should be the CA server from the other organization.

    To extend the CRL verification to confirm the certificate chain and certificate revocation status from the CRL, run the certutil -v -urlfetch -verify [certificate_file] command from TreyClient:

    • Example: certutil -v -urlfetch -verify E:\ContosoRMS.cer

    • The [certificate_file] is the server certificate that you deployed on the AD RMS server (ContosoRMS), exported to a .cer file and saved to a USB thumb drive that you then attach to the TreyClient computer.

    • Examine the output. It’s expected to see errors for the LDAP URL, because the TreyClient cannot use LDAP to communicate with the CA in Contoso. But you should see verification for the HTTP URL. The end of the command output should display Leaf certificate revocation check passed.

    Repeat this test by exporting the certificate from TreyFS and running the same command on the ContosoClient computer.

  2. Using the client computer, ContosoClient, use Internet Explorer to test a connection to the Contoso federation server, ContosoADFS, by using these URLs:

    The first URL should display the federation server metadata in the browser, and the second displays an AD FS sign-in page where you can sign in with domain credentials. A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working within the resource organization, Contoso.

  3. Similarly, using the client computer, TreyClient, use Internet Explorer to test a connection to the Trey Research federation server, TreyADFS, by using these URLs:

    As before, the first URL should display the federation server metadata in the browser, and the second displays an AD FS sign-in page where you can sign in with domain credentials. A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working within the account organization, Trey Research.

  4. Using the client computer, TreyClient, use Internet Explorer to test a connection to the Contoso federation server, ContosoADFS, by using this URL:

    A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working across the two forests; from the account organization (Trey Research) to the resource organization, Contoso.

  5. Using the client computers, ContosoClient and TreyClient, use Internet Explorer to test a connection to the RMS service, by using this URL:

    This displays a web page in the browser that has the title License and introduction text of The following operations are supported. A successful connection verifies that both clients can communicate with the RMS service.

    If you are prompted for credentials, it could indicate a problem with the Group Policy configuration to add the local federation server or the RMS service URL (for the Contoso domain only) to the local intranet zone. Make sure that this setting is configured and that the client has downloaded the latest Group Policy settings.

    If the connection is successful for ContosoClient but not for TreyClient, it could indicate a problem with the AD FS claims configuration.

Step 6: Preparing the Trey Research client for AD RMS: Configuring the Federation Home Realm

You must edit the registry on the client in the Trey Research domain so that the client can find its local federation server.

In a production environment, you would do this by using Group Policy or a script. However, for our single testing client, we will edit the registry directly.

Configuring the Federation Home Realm
  1. Sign in on TreyClient as TREY\Administrator.

  2. Edit the registry with the Run as administrator option.

    Use the following table to create and specify the following registry value (REG_SZ) for the version of Office that the client is using. Create the registry keys if needed.

    Version of Microsoft Office Operating system platform Registry value (REG_SZ)
    Office 2013, 64-bit 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Federation]

    "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
    Office 2013, 32-bit 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation]

    "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
    Office 2013, 32-bit 32-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Federation]

    "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
    Office 2010 or earlier, 64-bit 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation]

    "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
    Office 2010 or earlier, 32-bit 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSDRM\Federation]

    "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
    Office 2010 or earlier, 32-bit 32-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation]

    "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"

    Note


    Although specifying HTTP rather than HTTPS for the federation home realm URL might look odd, it is correct. If you specify HTTPS instead, it does not work. For the URL, we recommend that you keep the casing exactly as it appears in the AD FS server certificate (in our guide, TreyADFS.trey.net and not treyadfs.trey.net). Some versions of Office might fail to connect if the casing does not match.

This concludes the configuration steps and you’re ready to test the AD RMS with AD FS deployment.

Step 7: Verifying the AD RMS and AD FS deployment

To verify that AD RMS with AD FS is working, you protect a Word document in the Contoso organization such that a user in Trey Research can open it, but for read-only. For example, he cannot save or print the document.

To protect the document in Contoso
  1. Sign in on ContosoClient as CONTOSO\nhollida.

  2. Start Word 2013, and in the document, type: Only Terence Philip can read this document, but cannot change, print, or copy it.

  3. Click the Microsoft Office button, click the File tab, and click Info.

  4. Click Protect Document, and then Restrict Access.

  5. Click Restricted Access.

  6. In the Permission dialog box, in the Read text box, type **TPHILIP@TREY.NET**, and then click OK.

  7. Click the Microsoft Office button, click Save As, and save the file to a thumb drive.

To open the protected document in Trey Research
  1. Sign in on TreyClient as TREY\tphilip.

  2. Double-click the file from the thumb drive.

  3. Word starts and you see the following message:

    Permission to this document is currently restricted. Microsoft Office must connect to https://rmsservice.contoso.com/\_wmcs/licensin to verify your credentials and download your permissions.

  4. Click OK, and you then see this message:

    Verifying your credentials for opening content with restricted permissions.

  5. The document opens and it has a yellow message bar at the top of the page that displays the permission that are assigned to the document.

  6. Click View Permission in the message bar to confirm that Terence Philip can only read the document. You can also confirm this because the options to save and print are not available.

This final step confirms that AD RMS is successfully working with AD FS.

See Also

Active Directory Rights Management Services Overview