Configuring and Troubleshooting

Identity and Access Solutions with Windows

Server® 2008 Active Directory®

Module 6: Configuring AD RMS

• Overview of AD RMS

• Installing and Configuring AD RMS Server Components

• Administering AD RMS

• Implementing AD RMS Trust Policies

Lesson 1: Overview of AD RMS

• How Access Management Is Enforced by Using AD RMS

• Usage Scenarios of AD RMS

• Comparing Technologies Used to Protect Information

• Identifying AD RMS Components

• AD RMS Certificates and Licenses

• Overview of AD RMS Workflow

• How Files Are Protected by Using AD RMS

How Access Management Is Enforced by Using AD RMS

AD RMS enforces access management by :

Establishing trusted participants within the AD RMS system

Assigning persistent usage rights and conditions on how a trusted participant can use protected information

Encrypting information and allowing access to users that have the required components and rights to open and view the information

Types of information that can be protected includes:

Sensitive documents such as plans, proposals, reports

E-mail messages

Content stored in AD RMS-aware intranet services

Usage Scenarios for AD RMS

Usage Scenario Application Features

Secure Confidential Files

Microsoft® Office:Word®

Excel®

PowerPoint®

Set rights (View, Change, Print)

Set validity period

Do-Not-Forward/Print E-Mail Message

Microsoft® Office Outlook®:

Microsoft® Exchange Server 2007 Service Pack (SP1)

Help protect sensitive e-mail messages from being sent to the Internet

Help protect confidential e-mail messages from being taken outside the company

Help protect Rights Management Services (RMS) prelicensing agent

Help Safeguard Intranet Content

Microsoft® Office SharePoint® Services

Help safeguard intranet content by restricting access to View, Change, and Print

Identity Federation Support

All RMS-enabled application

Active Directory® Federation Services (AD FS)

Help safeguard data across AD FS trusts

Comparing Technologies Used to Protect Information

Feature AD RMS

Secure/Multipurpose Internet Mail

Extension (S/MIME) Signing

S/MIME Encryption

Access control lists (ACLs)

Encrypting File

Systems (EFS)

Attests to the identity of the publisher

Differentiates permissions by a user

Prevents unauthorized viewing

Encrypts protected content

Offers content expiration

Controls content reading *

Modifying, or printing by user

Extends protection beyond initial publication *

* With some limitations

Identifying AD RMS Components

AD RMS Client

AD RMS Client

SQL Server™ Configuration Data Logging

AD RMS Root Cluster Web Server

(IIS)Active

Directory® Domain

Services (AD DS)

AD RMS Licensing-

only Cluster

SQL Server™

AD RMS Client

AD RMS Client

AD RMS Certificates and LicensesServer Licensor Certificate

Gets created when the AD RMS server role is installed and configured on the first server of an AD RMS Root Cluster

Machine Certificate

Identifies a trusted computer and contains the unique public key for that machine, on a per user per computer basis

Rights Account Certificate

Names a trusted user identity by using the e-mail address or SID of the user on a per user basis

Client Licensor Certificate

Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to an RMS server. This naming is based on per user on a computer

Publishing License

Sets the policy for acquiring a used license for rights-protected information

Use License

Grants an authorized user with valid RAC rights to consume rights-protected information based on policy established in the publishing license

Overview of AD RMS Workflow

Information Author Information Recipient

22

33

11

44 55

6688

77

99

Database Server AD RMS Cluster Active Directory®

Publishing Consuming

How Files Are Protected by Using AD RMS

Gets encrypted with the public

key of user

Publishing License

Use License

Content KeyContent Key

Rights information with e-mail addresses

Rights information with e-mail addresses

Content KeyContent Key

Rights info with e-mail addresses

Rights info with e-mail addresses

The content of the file such as text, pictures, and media.

Gets added to the file after the server

licenses a user to open it

Gets encrypted with the public

key of user

Gets encrypted with the public key of server

Gets encrypted with 128-bit

AES symmetric encryption key

E-mail URLs are stored in the local RMS license cache, not in e-mail messages directly.

Gets encrypted with the public key of server

Gets created when file is protected

Lesson 2: Installing and Configuring AD RMS Server Components

• AD RMS Deployment Scenarios

• Preinstallation Considerations

• AD RMS System Requirements

• How to Install the First Server of an AD RMS Cluster

• What Is a Service Connection Point?

• Implementing an AD RMS Client

• Configuring Client Service Discovery

AD RMS Deployment Scenarios

Deploying AD RMS in a single Forest

Deploying an AD RMS Licensing-Only cluster

Deploying AD RMS in a Multi-Forest environment

Deploying AD RMS in an Extranet

Deploying AD RMS with AD FS

AD RMS AD FS

Preinstallation Considerations

Consider the following points before deploying AD RMS:

Determine whether to use an external database or the internal database

provided by Windows Server® 2008.

Make the account used to install AD RMS, as the member of the Enterprise

Admins group or equivalent, if the service connection point is to be registered

during installation.

Install AD RMS on a member server in the same domain as the user accounts

that will participate in AD RMS.

Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a

CNAME record for the computer hosting the configuration database.

Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority,

if secure communication to and from the AD RMS cluster is required.

Create a specific AD RMS service account with standard user permissions.

AD RMS System Requirements Hardware Requirements

Required Recommended

•One Pentium 4 processor (3Ghz or higher)

•512 MB RAM

•40 GB free disk space

Two Pentium 4 processors (3Ghz or higher)

1024 MB RAM

80 GB free disk space

Software Requirements

Software Requirement

Operating System Windows Server® 2008

File System NTFS file system is recommended

Messaging Message Queuing

Web ServicesInternet Information Services (IIS)

ASP.NET must be enabled

Active Directory® or

AD DS

AD RMS must be installed in an Active Directory® domain. The domain controllers should run Windows Server® 2000 with Service Pack 3, Windows Server® 2003, or Windows Server® 2008.

All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory®

Database Server Microsoft® SQL Server™ 2005 or equivalent, and stored procedures

Demonstration: How to Install the First Server of an AD RMS Cluster

• To use DNS to configure a CNAME for the AD RMS cluster

• To use Server Manager to install the AD RMS server role

What Is a Service Connection Point?

Provides automatic discovery of the AD RMS cluster URL

Contains only one SCP per Active Directory® forest

Requires AD RMS management console to be registered or removed

Requires ADSI Edit to be viewed and modified

A service connection point:

ADSI Edit

Configuration [SEC-DC.Adatum.com]

CN=Configuration, DC=Adatum, DC=com

CN=Display Specifiers

CN=Extended-Rights

CN=ForestUpdates

CN=Services

CN=MsmqServices

CN=NetServices

CN=Public Key Services

CN=Rights Management Services

CN=SCP

CN=RRAS

CN=Windows NT

Implementing an AD RMS Client

The AD RMS client creates and manages the machine certificate and lockbox.The AD RMS client creates and manages the machine certificate and lockbox.

The AD RMS client works with AD RMS-compatible applications such as the 2007 Office System. The AD RMS client works with AD RMS-compatible applications such as the 2007 Office System.

The AD RMS client is integrated with the Windows Vista® and Windows Server® 2008 operating systems. The AD RMS client is integrated with the Windows Vista® and Windows Server® 2008 operating systems.

The AD RMS client is downloaded from the Microsoft® Download center for earlier versions of Windows®. The AD RMS client is downloaded from the Microsoft® Download center for earlier versions of Windows®.

The AD RMS client is deployed manually or automated using Active Directory® Group Policy. The AD RMS client is deployed manually or automated using Active Directory® Group Policy.

Configuring Client Service Discovery

AD DS service connection point

AD RMS client registry override

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation

Activation (syntax: http(s):// <cluster>/_wmcs/ certification)

EnterprisePublishing (syntax: http(s):// <cluster> /_wmcs /certification)

AD RMS clients discover the AD RMS cluster using the following methods:

Lesson 3: Administering AD RMS

• AD RMS Administration Tasks

• What Is a Rights Policy Template?

• How To Create a Rights Policy Template

• Providing Rights Policy Templates for Offline Use

• What Are Exclusion Policies?

AD RMS Administration Tasks

AD RMS

Trust PoliciesExclusion PoliciesRights Policy Template

Uses Online Certificate Status Protocol validation and revocation checking using HTTP

What Is a Rights Policy Template?

Rights include Full Control, View, Edit, Save, or Print, Forward, Reply

Stores in the configuration database or a shared folder on the network for offline publishing

Author selects Rights Policy Template during document creation to apply rights to the content

Configures as a distributed or archived template

Specifies users or groups who must have rights to work with content protected with the template

Rights Policy

Template

Demonstration: How To Create a Rights Policy Template

• To configure a distributed rights policy template

• To manage archived rights policy templates

Providing Rights Policy Templates for Offline Use

Create a shared folder on the server to be used to store the exported rights policy templates.Create a shared folder on the server to be used to store the exported rights policy templates.

11

Use the AD RMS console to export the templates to the folder location.Use the AD RMS console to export the templates to the folder location.22

Deploy the exported templates to a local folder on each client.Deploy the exported templates to a local folder on each client.

33

Modify the client registry to specify where to find the policy templates on the client.Modify the client registry to specify where to find the policy templates on the client.44

Example: For Office 2007HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\DRM\

AdminiTemplatePathType: REG_EXPAND_SZRecommended Value: %allusersprofile%\Application Data\Microsoft\DRM\<templatefoldername>

Administrators can exclude following principles:

User IDs

Applications

Lockbox versions

Windows® versions

What Are Exclusion Policies?

Prevent compromised principles from acquiring new use license; however, existing licenses associated with excluded principals are still valid.

Lesson 4: Implementing AD RMS Trust Policies

• Methods of Defining Trust Policies

• Overview of Trusted User Domain Interaction

• Overview of Trusted Publishing Domain Interaction

• How To configure Trust Policies

• Deploying AD RMS with AD FS

Methods of Defining Trust Policies

Trust policies can be defined for the following:

Trusted user domains

Trusted publishing domains

Windows Live™ ID

Federated Trust

Trust Policies help an AD RMS cluster to process licensing requests for content that are rights-protected by another AD RMS cluster.

Trust Policies help an AD RMS cluster to process licensing requests for content that are rights-protected by another AD RMS cluster.

Overview of Trusted User Domain Interaction

Contoso sends SLC to Northwind Traders Contoso sends SLC to Northwind Traders

11

Alice@nwtraders.msft sends RM content to Bob@contoso.com Alice@nwtraders.msft sends RM content to Bob@contoso.com

33

Bob@contoso.com sends PL and RAC with request for UL from Northwind Traders

Bob@contoso.com sends PL and RAC with request for UL from Northwind Traders

44

Server uses imported SLC to verify Bob’s Rights account certificate (RAC) and returns UL

Server uses imported SLC to verify Bob’s Rights account certificate (RAC) and returns UL

55

Northwind Traders imports Server Licensor Certificate (SLC)

Northwind Traders imports Server Licensor Certificate (SLC)

22

Northwind TradersContoso

Overview of Trusted Publishing Domain Interaction

Contoso imports private key and SLC Contoso imports private key and SLC

11

Alice@nwtraders.msft sends RM content to Bob@contoso.com Alice@nwtraders.msft sends RM content to Bob@contoso.com

33

Bob@contoso.com sends PL and RAC with request for UL from Northwind Traders

Bob@contoso.com sends PL and RAC with request for UL from Northwind Traders

44

Contoso uses imported private key to decrypt PL and issues UL

Contoso uses imported private key to decrypt PL and issues UL

55

Northwind Traders exports private key and SLC

Northwind Traders exports private key and SLC

22

Northwind Traders Contoso

Demonstration: How To Configure Trust Policies

• To export a trusted user domain certificate

• To import a trusted user domain certificate

• To configure trusted publishing domains

Deploying AD RMS with AD FS

1. Assign an SSL certificate to the Web site that hosts the AD RMS cluster.

2. Install and configure AD RMS.

3. Grant the AD RMS service account permissions to generate security audits.

4. On the AD FS resource partner, create a claims-aware application for the AD RMS certification and licensing pipelines.

5. Configure the AD RMS extranet cluster URL.

6. Install the AD RMS Identity Federation Role service.

AD RMS

Manufacturer

Account Partner

Supplier

Resource PartnerAD FS

Lab 6: Configuring AD RMS

• Exercise1: Installing the AD RMS Server Role

• Exercise 2: Managing AD RMS rights policy templates

• Exercise 3: Configuring Trust Policies

• Exercise 4: Testing AD RMS functionality Logon information

Virtual machine

6426A-NYC-DC1

6426A-NYC-SVR1

6426A-NYC-CL1

User name Administrator

Domain woodgrovebank

Password Pa$$w0rd

Estimated time: 60 minutes