deploying active directory rights management services with microsoft office share point server 2007...

Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide

Microsoft Corporation

Published: March 2008

Author: Brian Lich

Editor: Carolyn Eller

AbstractThis step-by-step guide provides instructions for deploying Microsoft Office SharePoint Server

2007 in an Active Directory Rights Management Services (AD RMS) environment. It includes the

necessary information for installing and configuring Office SharePoint Server 2007 in the newly

created AD RMS infrastructure, and verifying that Office SharePoint Server 2007 documents can

be rights-protected and consumed. In the appendix of this guide, you can also configure Office

SharePoint Server 2007 to work with Active Directory Federation Services (AD°FS) and AD RMS.

Copyright Information

This document is provided for informational purposes only and Microsoft makes no warranties,

either express or implied, in this document. Information in this document, including URL and other

Internet Web site references, is subject to change without notice. The entire risk of the use or the

results from the use of this document remains with the user. Unless otherwise noted, the example

companies, organizations, products, domain names, e-mail addresses, logos, people, places, and

events depicted herein are fictitious, and no association with any real company, organization,

product, domain name, e-mail address, logo, person, place, or event is intended or should be

inferred. Complying with all applicable copyright laws is the responsibility of the user. Without

limiting the rights under copyright, no part of this document may be reproduced, stored in or

introduced into a retrieval system, or transmitted in any form or by any means (electronic,

mechanical, photocopying, recording, or otherwise), or for any purpose, without the express

written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, MS-DOS, SharePoint, Vista, Windows, Windows NT, and

Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server

2007 Step-By-Step Guide............................................................................................................5

About this Guide.......................................................................................................................... 5

What This Guide Does Not Provide.........................................................................................6

Deploying AD RMS in a Test Environment..................................................................................6

Step 1: Installing and Configuring SPS-SRV..................................................................................7

Configure the Office SharePoint Server (SPS-SRV)................................................................8

Install Office SharePoint Server 2007....................................................................................10

Step 2: Configuring AD RMS to Work with SPS-SRV...................................................................11

Step 3: Verifying AD RMS Functionality using ADRMS-CLNT......................................................13

Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint

Server 2007............................................................................................................................... 15

About this Appendix................................................................................................................... 15

Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment............16

Step 1: Setting up the infrastructure..........................................................................................18

Step 2: Configuring Office SharePoint 2007 to work with AD FS...............................................20

Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS...........25

Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide

About this GuideThis step-by-step guide walks you through the process of deploying Active Directory Rights

Management Services (AD RMS) and Microsoft Office SharePoint Server 2007 together in a test

environment. Specifically, this guide shows you how to add an Office SharePoint Server 2007 to

an existing AD RMS environment.

Important

Windows SharePoint Services 3.0 does not have the Microsoft® Office protector files that

are required to automatically rights-protect a document when it is uploaded. You must

use Office SharePoint Server 2007 to do this.

This guide assumes that you previously completed the Active Directory Rights Management

Services Step-by-Step Guide, and that you have already deployed the following components:

One Active Directory domain controller

An AD RMS server

An AD RMS database server

An AD RMS-enabled client

In this guide, you will create a test deployment that includes an Office SharePoint Server 2007

server.

Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting

them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate

network. The goal of integrating an Office SharePoint Server 2007 deployment with an AD RMS

infrastructure is to be able to protect documents that are downloaded from the Office SharePoint

Server 2007 server by users of any given organization.

Note

Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents

while they are on the server. When a document is uploaded to an Office SharePoint

Server 2007 site, the server removes all protection until a download request is received

by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server

2007 server applies the appropriate restrictions to the document before it is downloaded

to the client computer.

5

What This Guide Does Not ProvideThis guide does not provide the following:

An overview of AD RMS. For more information about the advantages that AD RMS can bring

to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.

Guidance for setting up and configuring AD RMS in a production environment.

Guidance for integrating Office SharePoint Server 2007 with AD RMS in a production

environment.

Complete technical reference for AD RMS.

Complete information about Office SharePoint Server 2007. For more information, see

http://go.microsoft.com/fwlink/?LinkId=74460.

Deploying AD RMS in a Test EnvironmentWe recommend that you use the steps provided in the "Windows Server Active Directory Rights

Management Services Step-by-Step Guide" before completing the steps in this guide. Step-by-

step guides are not necessarily meant to be used to deploy Microsoft products without additional

documentation and should be used with discretion as a stand-alone document.

Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure

integrated with Office SharePoint Server 2007. You can then test AD RMS and Office SharePoint

Server 2007 functionality as follows:

Create a Microsoft Office Word 2007 document in the CPANDL domain.

Upload this document to the Office SharePoint Server 2007 document library.

Have an authorized user in the CPANDL domain open and work with the document.

The test environment described in this guide includes five computers connected to a private

network and using a clean installation of the following operating systems, applications, and

services:

Computer Name Operating System Applications and Services

CPANDL-DC Windows Server® 2003 with

Service Pack 1 (SP1)

Active Directory, Domain

Name System (DNS)

ADRMS-SRV Windows Server® 2008 AD RMS, Internet Information

Services (IIS) 7.0, and

Message Queuing

ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005

with Service Pack 2 (SP2)

SPS-SRV Windows Server 2003 R2

Standard Edition. Windows

Server 2003 R2 must be used if

federated identity support with

Office SharePoint Server

2007

6

http://go.microsoft.com/fwlink/?LinkId=74460



Office SharePoint Server 2007 is

required. Otherwise,

Windows Server 2003 with SP1

can be used.

ADRMS-CLNT Windows Vista® Microsoft Office Word 2007

Enterprise Edition

Note

Before installing and configuring the components in this guide, you should verify that your

hardware meets the minimum requirements for AD RMS (http://go.microsoft.com/fwlink/?

LinkId=84733).

The computers form a private intranet and are connected through a common hub or Layer 2

switch. This configuration can be emulated in a virtual server environment if desired. This step-by-

step exercise uses private addresses throughout the test lab configuration. The private network

ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the

domain named cpandl.com. The following figure shows the configuration of the test environment:

Step 1: Installing and Configuring SPS-SRV

To prepare your AD RMS test environment in the CPANDL domain, you must complete the

following tasks:

Configure the Office SharePoint Server (SPS-SRV)

Install Office SharePoint Server 2007

Use the following table as a reference when setting up the appropriate computer name, operating

system, and network settings that are required to complete the steps in this guide.

7



Important

Before you configure your computers with static Internet Protocol (IP) addresses, we

recommend that you first complete Windows product activation while each of your

computers still has Internet connectivity. You should also install any available critical

security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).

Computer name Operating system requirement IP settings DNS settings

SPS-SRV Windows Server 2003 R2,

Standard Edition

Important

In order to use Active

Directory Federation

Services (AD FS) with

Office SharePoint

Server 2007, you

must install Windows

Server 2003 R2 with

Service Pack 2 (SP2).

IP address:

10.0.0.6

Subnet mask:

255.255.255.0

10.0.0.1

Configure the Office SharePoint Server (SPS-SRV)To configure the Office SharePoint Server 2007 server SPS-SRV, you must:

1. Install Windows Server 2003 R2 Standard Edition.

2. Configure TCP/IP properties.

3. Join the computer to the cpandl.com domain.

4. Install the Rights Management Services (RMS) client with SP2.

To install Windows Server 2003 R2 Standard Edition

1. Start your computer by using the Windows Server 2003 R2 Standard Edition product CD.

2. When prompted for the installation type, choose Custom Installation.

3. When prompted for a computer name, type SPS-SRV.

4. Follow the rest of the instructions that appear on your screen to finish the installation.

Next, configure TCP/IP properties so that SPS-SRV has a static IP address of 10.0.0.6. In

addition, configure the Domain Name System (DNS) Server service by using the IP address of

CPANDL-DC (10.0.0.1).

To configure TCP/IP Properties

1. Log on to SPS-SRV with the SPS-SRV\Administrator account or another user account in

8

http://go.microsoft.com/fwlink/?LinkID=47370

the local Administrators group.

2. Click Start, point to Control Panel, point to Network Connections, double-click Local

Area Connection, and then click Properties.

3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

4. Select the Use the following IP address option. In the IP address box, type 10.0.0.6. In

Subnet mask box, type 255.255.255.0.

5. Select the Use the following DNS server addresses option. In the Preferred DNS

server box, type 10.0.0.1.

6. Click OK, and then click OK to close the Local Area Connection Properties dialog box.

Close the Local Area Connection Status dialog box.

Next, join SPS-SRV to the cpandl.com domain.

To join SPS-SRV to the cpandl.com domain

1. Click Start, right-click My Computer, and then click Properties.

2. Click Computer Name tab, and then click Change.

3. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com.

4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.

5. Click OK twice.

6. When a Computer Name Changes dialog box appears prompting you for administrative

credentials, provide the credentials for CPANDL\Administrator, and then click OK.

7. When a Computer Name Changes dialog box appears welcoming you to the

cpandl.com domain, click OK.

8. When a Computer Name Changes dialog box appears telling you that the computer

must be restarted, click OK, and then click Close.

9. Click Yes to restart the computer.

Finally, install the RMS client with SP2 on SPS-SRV.

To install the RMS client with SP2

1. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736. If you are

using a 64-bit version Windows Server 2003, download the 64-bit version of the RMS

client from http://go.microsoft.com/fwlink/?LinkId=67935.

2. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-ENU.exe to

start the installation.

3. Click Next.

4. Select the I agree option to accept the End User License Agreement, and then click Next

twice to start the installation.

5. Click Close to finish the installation.

9



Note

If you are using a self-signed certificate for your AD RMS cluster, you must import it into

the Trusted Certification Authorities certificate store on SPS-SRV before you can

consume rights-protected content.

Install Office SharePoint Server 2007To install Office SharePoint Server 2007, you must complete the following steps in the following

order:

1. Add the Application Server role to SPS-SRV.

2. Install Microsoft .NET Framework 3.0.

3. Install Office SharePoint Server 2007.

Office SharePoint Server 2007 uses the Application Server role, which contains IIS and ASP.NET,

to host Office SharePoint Server 2007 document libraries. To install the Application Server role,

you must complete the following steps:

To add the Application Server role

1. Click Start, point to All Programs, point to Administrative Tools, and then click

Manage Your Server.

2. Click Add or remove a role.

3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.

4. Click Application Server (IIS, ASP.NET), and then click Next.

5. Select the Enable ASP.NET check box, and then click Next twice.

Note

You will be asked for the Windows Server 2003 product CD in order to complete

the installation of the Application Server role.

6. Click Finish to complete the installation.

Next, install the .NET Framework 3.0. Office SharePoint Server 2007 requires the Windows

Workflow Foundation, which has been integrated into .NET Framework 3.0.

To install .NET Framework 3.0

1. Download Microsoft .NET Framework 3.0 from http://go.microsoft.com/fwlink/?

LinkId=73912.

2. Double-click dotnetfx3setup.exe, and then click Run in the Open File - Security

Warning dialog box.

3. Click the I have read and ACCEPT the terms of the License Agreement option, and

then click Install.

4. Click Exit to complete the installation.

Next, install Office SharePoint Server 2007.

10



To install Office SharePoint Server 2007

1. Double-click setup.exe from the Office SharePoint Server 2007 product CD.

2. Enter your Product Key, and then click Continue.

3. Select the I accept the terms of this agreement check box, and then click Continue.

4. Click Basic.

5. After installation has completed, select the Run the SharePoint Products and

Technologies Configuration Wizard now check box, and then click Close. The

installation might take 10 minutes to complete.

6. On the Welcome to the SharePoint Products and Technologies page, click Next.

Click Yes in the message confirming that the SharePoint services should be restarted.

Office SharePoint Server 2007 will also be configured at this time.


Step 2: Configuring AD RMS to Work with SPS-SRV

After Office SharePoint Server 2007 has been installed, there are several tasks that must be

completed to integrate Office SharePoint Server 2007 with AD RMS:

Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer zone.

Add three user accounts, CPANDL\Administrator, Nicole Holliday, and Stuart Railson, to the

SharePoint site.

Add the Office SharePoint Server 2007 server to the AD RMS server certification pipeline.

Enable Information Rights Management in Office SharePoint Server 2007.

Restrict permissions by using AD RMS.

First, add the Office SharePoint Server 2007 site to the Internet Explorer Local Intranet zone on

the Office SharePoint Server 2007 computer.

To add SPS-SRV to Local Intranet

1. Log on to SPS-SRV as cpandl\administrator.

2. Click Start, point to Control Panel, and then click Internet Options.

3. Click the Security tab, click Local Intranet, and then click the Sites button.

4. Type http://SPS-SRV, and then click Add.

5. Click Close, and then click OK.

Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office

SharePoint Server 2007 integration with AD RMS can be verified later in this guide:

11

To add Nicole Holliday and Stuart Railson to the SharePoint site

1. Click Start, point to All Programs, and then click Internet Explorer.

2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default

Office SharePoint Server 2007 site that was created during installation.

3. Click Site Actions, point to Site Settings, and then click People and Groups.

4. Click New, and then click Add Users.

5. Type [email protected];[email protected] in the Users/Groups box, and then

click OK. A list of users who have permission to use the SharePoint site is displayed.

Next, add the Office SharePoint Server 2007 server and AD RMS Service Group to the AD RMS

cluster server certification pipeline.

Important

By default, the AD RMS cluster server certification pipeline ACL is configured to allow

only the local System account. You must add the permissions in order for Office

SharePoint Server 2007 to integrate with AD RMS.

To add SPS-SRV to the AD RMS Certification Pipeline

1. Log on to ADRMS-SRV as CPANDL\Administrator.

2. Click Start, and then click Computer.

3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.

4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.

5. Click Advanced, click Edit, select the Include inheritable permissions from this

object's parent check box, and then click OK two times.

6. Click Edit, and then click Add.

7. Click Object Types, select the Computers check box, and then click OK.

8. Type SPS-SRV, and then click OK.

9. Click OK to close the ServerCertification.asmx Properties sheet.

By default the Read & execute and the Read permissions are configured for the SPS-

SRV computer account object and all other accounts inherited from the parent folder.

10. Click Start, and then click Command Prompt.

11. Type iisreset, and then press ENTER.

Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can

communicate with it, you must configure Office SharePoint Server 2007 to use the AD RMS

cluster:

To enable Information Rights Management in Office SharePoint Server 2007

1. Log on to SPS-SRV as CPANDL\administrator.

2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central

12

Administration.

3. Click Operations, and then click Information Rights Management.

4. Select the Use the default RMS server specified in Active Directory option, and then

click OK.

Create an Office SharePoint Server 2007 permission policy on the default document library. This

permission policy will be used to restrict the ability to print any documents that are uploaded to

the document library:

To restrict permissions using AD RMS

1. Log on as cpandl\Administrator.


3. Type http://SPS-SRV in the address bar, and then click Go.

4. Click Document Center, click Documents, click Settings, and then click Document

Library Settings.

5. Under the Permissions and Management heading, click Information Rights

Management.

6. Select the Restrict permission to documents in this library on download check box.

7. Type CPANDL Protected in the Permissions policy title box.

8. Type Restrict CPANDL employees from printing in the Permission policy

description box.

9. Click OK.

Note

Office SharePoint Server 2007 will automatically apply AD RMS rights to the document

when it is downloaded from the Office SharePoint Server 2007 site. These rights are

determined by the Office SharePoint Server 2007 group membership for that site. For

example, a user who is in the Visitors Office SharePoint Server 2007 group will not be

able to modify the document when it is downloaded from the Office SharePoint Server

2007 site.

Step 3: Verifying AD RMS Functionality using ADRMS-CLNT

To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a new

Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site into a

rights-enabled document library configured such that users who download the document will not

be able to print it. You then log on as Stuart Railson, download the document from the Office

SharePoint Server 2007 site and verify that the ability to print the document has been restricted.

13

Before you can consume rights-protected content, you must add SPS-SRV to the Local Intranet

security zone.

To add SPS-SRV to Local Intranet security zone

1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).

2. Click Start, click All Programs, and then click Internet Explorer.

3. Click Tools, and then click Internet Options.

4. Click the Security tab, click Local intranet, and then click Sites.

5. Click Advanced.

6. In the Add this website to the zone, type http://sps-srv, and then click Add.

7. Click close.

8. Repeat steps 1–7 for Stuart Railson (CPANDL\srailson).

Next, log on a Nicole Holliday and create a Microsoft Word 2007 document and upload it to the

Office SharePoint Server 2007 site.

To create and upload a Microsoft Word document for testing

1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft

Office Word 2007.

2. Type This document is read-only. You cannot print it. in the new document, click the

Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to a

location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint

Server 2007 document library.

Note

Since Nicole Holliday is the author of this document, she will have full rights to

the document, regardless of the AD RMS rights that are applied to it.

3. Close Microsoft Office Word 2007.


5. Type http://SPS-SRV/ in the address bar, and then click Go.

6. Click Document Center, and then click Documents.

7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST,

and then click Open.

8. Click OK to upload the file, and then click Check In.

By uploading the document into this library, the document receives the restrictions set on

the library.

9. Log off as Nicole Holliday.

Finally, log on as Stuart Railson and open the document from the Office SharePoint Server 2007

site.

14

To open a protected document

1. Log on to ADRMS-CLNT as Stuart Railson (CPANDL\srailson).




5. Click ADRMS-TST, and then click OK to open the document as Read Only.

6. The following message will appear: "Permission to this document is currently

restricted. Microsoft Office must connect to

https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and

download your permission."

7. Click OK.

8. The following message will appear: "Verifying your credentials for opening content

with restricted permissions".

9. Click OK in the full screen reading view message, and then click Close to close the full

screen reading view.

10. Click the Microsoft Office button. The Print command is disabled.

You have successfully deployed, integrated, and demonstrated the functionality of AD RMS and

Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office

Word 2007 document to an Office SharePoint Server 2007 site. You can also use this deployment

to explore some of the additional capabilities of AD RMS through additional configuration and

testing.

Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint Server 2007

About this AppendixThis appendix walks you through the process of configuring Active Directory Federation Services

(AD FS) and Microsoft Office SharePoint Server 2007 together in a test environment to consume

content that is rights-protected by Active Directory Rights Management Services (AD RMS).

Specifically, this guide shows you how to consume rights-protected content from an Office

SharePoint Server 2007 document library through a federated trust.

This guide assumes that you previously completed the following step-by-step guides:

Windows Server Active Directory Rights Management Services Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkId=54964)

15


Using Identity Federation with Active Directory Rights Management Services Step-by-Step

Guide (http://go.microsoft.com/fwlink/?LinkId=72135)

The first three steps of Deploying Active Directory Rights Management Services with

Microsoft Office SharePoint Server 2007 Step-By-Step Guide

In this appendix, you will configure the test environment configured in the step-by-step guides

referenced above to include federated support for Office SharePoint Server 2007.

Configuring AD FS to work with Office SharePoint Server 2007 in a Test EnvironmentWe recommend that you first use the steps provided in this appendix in a test lab environment.

Step-by-step guides are not necessarily meant to be used to deploy Windows Server features

without additional deployment documentation and should be used with discretion as a stand-

alone document.

Upon completion of this appendix, you will have a working AD RMS and Office SharePoint Server

2007 infrastructure with federation support. You can then test and verify the functionality as

follows:

Create a document in the CPANDL.COM domain.

Upload the document to a rights-protected document library.

Have an authorized user in the TREYRESEARCH.NET domain open and work with the

document.

The test environment described in this guide include nine computers connected to a private

network and using the following operating systems, applications, and services:


CPANDL-DC

TREY-DC

Windows Server 2003 with Service

Pack 1 (SP1)

Note

Domain controllers

running Windows 2000

Server with Service

Pack 4 can be used.

However, in this step-by-

step guide it is assumed

that you will be using

domain controllers running

Windows Server 2003 with

SP1.

Active Directory, Domain

Name System (DNS)

ADRMS-SRV Windows Server® 2008 AD RMS, Internet Information

16



Services (IIS) 7.0, Message

Queuing, and World Wide

Web Publishing Service

ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005

Standard Edition

SPS-SRV Windows Server 2003 R2 with

Server Pack 2 (SP2).

Important

Windows Server 2003 R2

with SP2 is required for

federation support to work

with Office SharePoint

Server 2007.

AD FS claims-aware agent,

Office SharePoint Server

2007

ADRMS-CLNT

ADRMS-CLNT2

Windows Vista® Microsoft Office Word 2007

Enterprise Edition

ADFS-RESOURCE

ADFS-ACCOUNT

Windows Server® 2008 Enterprise AD FS, IIS

The computers form two private intranets and are connected through a common hub or Layer 2

switch. This configuration can be emulated in a virtual server environment, if desired. This

appendix exercise uses private addresses throughout the test lab configuration. The private

network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named

cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is

TREY-DC. The following figure shows the configuration of the test environment:

17

Step 1: Setting up the infrastructureThe following steps should be taken to prepare the existing test infrastructure for configuring

AD FS with Office SharePoint Server 2007:

Install the claims-aware applications Windows component on SPS-SRV.

Add a DNS host name record to the CPANDL.COM domain so that federated users can

access the Office SharePoint Server 2007 Web site.

Add the external SharePoint Web site as a claims-aware application on ADFS-RESOURCE.

18

Note

Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007

to work together. To download Windows Server 2003 with SP2, see

http://go.microsoft.com/fwlink/?LinkId=98598.

First, add the claims-aware application Windows component. This component is required for

AD FS and interfaces with the AD FS federation servers to submit claims.

To add the claims-aware applications Windows component

1. Log on to SPS-SRV as cpandl\administrator or another user account in the local

Administrators group.

2. Click Start, point to Control Panel, click Add or Remove Programs, and then click

Add/Remove Windows Components.

3. Click Active Directory Services, and then click Details.

4. Click Active Directory Federation Services (ADFS), and then click Details.

5. Click ADFS Web Agents, and then click Details.

6. Select the Claims-aware applications check box, and then click OK three times.

7. Click Next.

Note

You will be asked for the Windows Server 2003 R2 product CD in order to

complete the installation of the claims-aware applications Windows component.


Next, add a DNS host name record is required in the CPANDL.COM domain so that federated

users in the TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web

site.

To create a DNS host name record for the external Office SharePoint Server 2007 Web site

1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local


2. Click Start, point to Administrative Tools, and then click DNS.

3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).

4. In the Name box, type external-sps.

5. In the IP Address box, type 10.0.0.6, and then click Add Host.

6. Click OK, confirming that the host record was successfully created.

7. Click Done.

Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFS-

RESOURCE: This should be done before a user is added to doc library.

19


To add the external SharePoint Web site as a claims-aware Windows application on ADFS-RESOURCE

1. Log on to ADFS-RESOURCE as cpandl\adfsadmin or another user account in the local


2. Click Start, point to Administrative Tools, and then click Active Directory Federation

Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is

what you want, and then click Continue.

4. Expand Federation Services, expand Trust Policy, and then expand My Organization.

5. Right-click Applications, point to New, and then click Application.

6. On the Welcome to the Add Application Wizard, click Next.

7. Select the Claims-aware application option, and then click Next.

8. In the Application display name box, type External SharePoint Web site.

9. In the Application URL box, type https://external-sps.cpandl.com, and then click

Next.

10. Select the E-mail check box, and then click Next.

11. Select the Enable this application check box, and then click Next.

12. Click Finish.

Step 2: Configuring Office SharePoint 2007 to work with AD FSTo configure Office SharePoint Server 2007 to work with AD FS, several steps must be

completed:

Add a claims-aware Windows application for the external Web site.

Extend the internal Office SharePoint Server 2007 Web site.

Add a Secure Sockets Layer (SSL) certificate to the external Web site.

Configure the authentication provider on the external Web site.

Edit the web.config file on the internal Web site.

Add Terrence Philip to the default document library.

Edit the web.config file on the external Web site.

First, extend the existing internal Web site, created earlier in this guide, and add it to the Extranet

zone.

To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone on SPS-SRV.

1. Log on to SPS-SRV as cpandl\administrator or another user account in the local


20


Administration.

3. Click Application Management, click Create or Extend Web application, and then

click Extend an existing Web application.

4. Select the Create a new Web site option, and then type External Users Web site in the

Description box.

5. In the Web Application box, click Change Web Application, and then click http://sps-

srv.

6. In the Port box, type 443.

7. In the Host header box, type external-sps.cpandl.com.

8. In the Secure Sockets Layer (SSL) box, select the Yes option.

9. In the URL box, type https://external-sps.cpandl.com.

10. In the Zone box, click Extranet.

11. Click OK.

Before proceeding with this appendix, verify that the internal Web site was correctly extended. To

do this, open the Alternate Access Mappings and ensure that external-sps.cpandl.com is

available.

To verify that the external Web site is available

1. In the Central Administration 3.0 site, click Operations.

2. Under the Global Configuration heading, click Alternate access mappings.

3. Verify that the https://external-sps.cpandl.com is shown and the Zone is configured for

Extranet.

Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS

requires an SSL connection for all claims-aware Windows applications.

To add an SSL certificate to the external Office SharePoint 2007 Web site

1. Click Start, point to Administrative Tools, and then click Internet Information Services

(IIS) Manager.

2. Expand Web Sites, right-click External Users Web site, and then click Properties.

3. Click Directory Security, and then click Server Certificate.

4. On the Welcome to the Web Server Certificate Wizard page, click Next.

5. Choose whether to import from an existing certificate file or request a new certificate.

6. After the certificate is imported, close the External Users Web site properties sheet.

Next, configure the authentication provider on the external Web site to use Web Single Sign On

(SSO).

21

To configure the authentication provider of the Extranet Web application to use Web SSO


Administration, and then click Application Management.

2. Under the Application Security heading, click Authentication providers.

3. In the Web application box, click Change Web Application, and then click SharePoint

- 80.

4. Click Extranet.

5. For Authentication Type, select the Web single sign on option.

6. In the Membership provider name box, type SingleSignOnMembershipProvider2.

7. In the Role manager name box, type SingleSignOnRoleProvider2.

8. For Enable client integration, select the No option, and then click Save.

Next, configure the internal Web application to accept claims from the external Web site by

editing the web.config file for the internal Web site:

To configure the internal Web site to accept claims from the external Web site

1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.

2. Right-click web.config, and then click Open.

3. Select the Select the program from a list option, click Notepad, clear the Always use

the selected program to open this kind of file check box, and then click OK.

4. Add the following text under the line that reads <authentication mode ="Windows" />:

<membership>

<providers>

<add name="SingleSignOnMembershipProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,

System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35"

fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />

</providers>

</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

<providers>

<remove name="AspNetSqlRoleProvider" /> <add name="SingleSignOnRoleProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,


PublicKeyToken=31bf3856ad364e35"

fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx" />

22

</providers>

</roleManager>

5. Click File, and then click Save.

6. Close Notepad.

7. At a command prompt, type IISRESET, and then press ENTER.

Next, add Terrence Philip (TREYRESEARCH\tphilip) to the default document library.

To add Terrence Philip to the default document library


2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default

Office SharePoint Server 2007 site that was created during installation.

3. Click Site Actions, point to Site Settings, and then click People and Groups.

4. Click New, and then click Add Users.

5. In the Users/Groups box, type [email protected], and then click OK.

Important

If the internal SharePoint Web site is not able to resolve Terence Philip using the

procedure above, you should ensure all of the previous steps were completed correctly

before continuing through the rest of this appendix.

Next, edit the web.config file on the external Web site. There are several entries that must be

made to put each individual entry into its own procedure.

To add a new entry in the <configSections> node

1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443.

2. Right-click web.config, and then click Open.

3. Select the Select the program from a list option, click Notepad, and then clear the

Always use the selected program to open this kind of file check box.

4. Add the following text in the <configSections> node:

<sectionGroup name="system.web">

<section name="websso"

type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,

System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35, Custom=null" />

</sectionGroup>


Add a new entry in the <httpModules> node:

23

To add a new entry in the <httpModules> node

1. In the same file as the previous procedure, add the following line as the last entry in the

<httpModules> node:

<add name="Identity Federation Services Application Authentication Module"

type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,

System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=31bf3856ad364e35, Custom=null" />


Add a new entry to the <system.web> node:

To add a new entry in the <system.web> node

1. In the same file as the previous procedure, add the following under the line that read

<authentication mode="None"/>:

<membership defaultProvider="SingleSignOnMembershipProvider2">

<providers>

<add name="SingleSignOnMembershipProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,


PublicKeyToken=31bf3856ad364e35" />

</providers>

</membership>

<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">

<providers>

<add name="SingleSignOnRoleProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,


PublicKeyToken=31bf3856ad364e35" />

</providers>

24

</roleManager>

<websso>

<authenticationrequired />

<auditlevel>55</auditlevel>

<urls>

<returnurl>https://external-sps.cpandl.com</returnurl>

</urls>

<fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>

<isSharePoint />

</websso>


3. Close Notepad.

4. From a command prompt, type IISRESET, and then press ENTER.

Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS.To verify the functionality of AD RMS using AD FS and Office SharePoint Server 2007, you log on

to ADRMS-CLNT as Nicole Holliday, create a new Microsoft Word 2007 document, and upload it

to the Office SharePoint Server 2007 site into a rights-enabled document library configured such

that users who download the document will be able to read it but will not be able to print it. You

then log on to ADRMS-CLNT2 as Terrence Philip, download the document from the Office

SharePoint Server 2007 site and verify that the ability to print the document has been restricted.

Before you can consume rights-protected content, you must add the external Web application

(external-sps.cpandl.com) to the Local Intranet security zone on ADRMS-CLNT2.

To add external-sps.cpandl.com to Local Intranet security zone

1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip).


3. Click Tools, and then click Internet Options.

4. Click the Security tab, click Local intranet, and then click Sites.

25

5. Click Advanced.

6. In the Add this website to the zone, type https://external-sps.cpandl.com, and then

click Add.

7. Click close.

Next, log on to ADRMS-CLNT as Nicole Holliday and create a Microsoft Word 2007 document

and upload it to the Office SharePoint Server 2007 site.

To create and upload a Microsoft Word document for testing

1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft

Office Word 2007.

2. Type This document is read-only. You cannot print it. in the new document, click the

Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to a

location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint

Server 2007 document library.

Note

Since Nicole Holliday is the author of this document, she will have full rights to

the document, regardless of the AD RMS rights that are applied to it.

3. Close Microsoft Office Word 2007.




7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST,

and then click Open.

8. Click OK to upload the file, and then click Check In.

By uploading the document into this library, the document receives the restrictions set on

the library.

9. Log off as Nicole Holliday.

Finally, log on to ADRMS-CLNT2 as Terrence Philip and open the document from the external

Office SharePoint Server 2007 site.

To open a protected document

1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip).


3. Type https://external-sps.cpandl.com/ in the address bar, and then click Go.


5. Click ADRMS-TST, and then click OK to open the document as Read Only.

6. The following message will appear: "Permission to this document is currently

26

restricted. Microsoft Office must connect to

https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and

download your permission."

7. Click OK.

8. The following message will appear: "Verifying your credentials for opening content

with restricted permissions".

9. Click OK in the full screen reading view message, and then click Close to close the full

screen reading view.

10. Click the Microsoft Office button. The Print command is disabled.

You have successfully deployed, integrated, and demonstrated the functionality of AD RMS,

AD FS, and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft

Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use this

deployment to explore some of the additional capabilities of AD RMS through additional

configuration and testing.

27

deploying active directory rights management services with microsoft office share point server 2007...

Documents

windows server

ad rms functionality

existing ad rms environment

created ad rms infrastructure

intellectual property

guidethis stepbystep

test environment

stepbystep guideabout