Microsoft press windows server 2008 active directory resource kit - part 10 ppsx

726 Part V: Identity and Access Management with Active Directory

Figure 18-10 Viewing permissions assigned to a rights-protected document.

Note For users that do not have Microsoft Office to view rights-protected documents,

you can install the Rights Management Add-on for Internet Explorer. This add-on provides the

ability to view, but not alter, rights-protected information. You can download the Rights

Management Add-on for Internet Explorer at http://www.microsoft.com/downloads/

details.aspx?FamilyID=B48F920B-5AF0-46B4-994F-2F62582CC86F&displaylang=en.

Administering AD RMS

The complexity and design of your AD RMS environment will dictate the specific administra￾tion tasks to complete after the initial deployment of your AD RMS root cluster. If your

organization consists of multiple Active Directory forests, you may need to integrate multiple

AD RMS deployments. You might also have external users or organizational partnerships

that you need to consider in order to enable sharing and collaboration of rights-protected

information. Another major set of administration tasks is to ensure security of the AD RMS

environment including the application of exclusion policies, security policies, and the config￾uration and deployment of rights policy templates.

This section describes each of these administration tasks and provides information to help

maintain and administer an effective and secure AD RMS deployment throughout your

network environment.

Managing Trust Policies

A standard implementation of AD RMS provides rights-management protection for

documents created and consumed within an organization. However, there are many scenarios

that require the configuration of trust policies. A trust policy allows for the processing of

licensing requests for content that was rights-protected by a different AD RMS cluster in

Chapter 18: Active Directory Rights Management Services 727

another Active Directory forest or another organization. There are three main types of trust

policies that can be configured to address specific scenarios:

■ Trusted user domains

■ Trusted publishing domains

■ Federated Identity Support

Trusted User Domains

A trusted user domain configuration allows recipients from an AD RMS cluster in another

organization or Active Directory forest to obtain use licenses from your AD RMS cluster. For

example, a large enterprise organization may consist of multiple Active Directory forests that

contain multiple AD RMS installations. Each AD RMS installation may be configured to trust

the other AD RMS installations by establishing one another as trusted user domains. A

trusted user domain can also be established between two organizations in order to provide

sharing and collaboration for published rights-protected content. A trusted user domain is

typically one of the following entities:

■ Another Active Directory forest in your organization

■ A partner’s AD RMS installation

■ Windows Live ID service

By default, an AD RMS cluster will not service requests from any user whose RAC has

been issued by another AD RMS installation. For example, consider this scenario:

[email protected] sends rights-protected content to [email protected]. Don attempts to

open the content, which results in his RAC (issued by his organization’s AD RMS installation)

and the publishing license to be sent to the cluster URL listed in the publishing license. The

licensing cluster at NWTraders.com will receive Don’s request for a use license; however, that

request will fail unless the licensing cluster can verify his RAC. By configuring another AD

RMS cluster as a trusted user domain, you can verify that the user requesting a use license is

originating from a trusted user domain.

To configure a trusted user domain, you must open the Active Directory Rights Management

Services console and import a trusted user domain .bin file. The .bin file contains the Server

Licensor Certificate of the AD RMS cluster to be trusted. The .bin file is created by selecting

the Internal domain certificate from the Trusted User Domains node and then clicking Export

trusted user domain from the Actions pane. The file can then be saved and provided to the

administrator who is configuring the integration between the two AD RMS clusters.

When a .bin file is obtained from a trusted domain, you can import the file by selecting the

trusted user domains node and then clicking Import Trusted User Domain in the Actions

pane. As shown in Figure 18-11, the .bin file obtained from A. Datum Corporation is being

imported. A display name is provided in order to specifically identify the trusted user domain.

728 Part V: Identity and Access Management with Active Directory

Figure 18-11 Importing a trusted user domain file.

By importing the server licensor certificate of another AD RMS cluster, you are now able to

verify that a user who may be requesting a use license is originating from a trusted user

domain. Figure 18-12 describes the interaction between trusted user domains.

Figure 18-12 Trusted user domain interaction.

SLC (.bin file)

Don

Adatum NWTraders

1

4

5

3

Kim

2

Chapter 18: Active Directory Rights Management Services 729

1. ADatum exports and sends the server licensor certificate (.bin file) to NWTraders.

2. NWTraders imports the .bin file and specifies ADatum as a trusted user domain.

3. Kim (an employee at NWTraders) sends Don a rights-protected document.

4. Don receives the content and, in his attempt to open it, sends his RAC and publishing

license to the licensing server at NWTraders.

5. The AD RMS cluster at NWTraders is aware that the ADatum domain is a trusted user

domain and can use the imported SLC to verify Don’s RAC and issue him a use license.

Note The licensing pipeline is initially configured with only Windows Authentication

enabled. In order for a user from another domain to be able to request a use license,

the user must be able to authenticate to the server running IIS. This can be established by

configuring an Active Directory trust relationship with the other Forest, enabling anonymous

authentication on the licensing pipeline in IIS, or by creating shadow accounts used for

authentication.

Trusted Publishing Domains

By default, an AD RMS cluster is only capable of issuing use licenses for rights-protected

information that contains a publishing license issued by the same AD RMS cluster. However,

there may be scenarios that require you to configure your AD RMS cluster to have the ability

to issue use licenses against publishing licenses that were issued by a different AD RMS

cluster. For example, A. Datum Corporation acquires Northwind Traders, and it has been

decided that there is no need to maintain two AD RMS installations. Northwind Traders can

export its SLC and private key, which will be imported into the ADatum AD RMS cluster. This

will designate Northwind Traders as a trusted publishing domain within the ADatum AD

RMS cluster. As a result, the ADatum AD RMS cluster will be able to decrypt publishing

licenses and issue use licenses for all rights-protected content that had been originally

managed by the RMS installation at Northwind Traders.

To configure a trusted publishing domain, you must open the Active Directory Rights Manage￾ment Services console and import a trusted publishing domain file. The domain file is an

XML-based file that contains the Server Licensor Certificate, cluster key, and any rights policy

templates of the AD RMS cluster to be trusted. The XML file is created by selecting the SLC

listed under the trusted publishing domains node and then clicking Export Trusted Publish￾ing Domain in the Actions pane. You also must provide a password, which is used to provide

additional security and encrypt the trusted publishing domain file. If you are importing the

file into an RMS cluster that contains a previous version of RMS, you can select the check box

next to Saved As V1 Compatible Trusted Publishing Domain File. The file can then be saved

and provided to the administrator who will import the trusted publishing domain file into the

target AD RMS cluster. Figure 18-13 shows the dialog box used for exporting the trusted

publishing domain file.

730 Part V: Identity and Access Management with Active Directory

Figure 18-13 Exporting the trusted publishing domain file.

When a trusted publishing domain file is obtained, you can import the file by selecting the

Trusted Publishing Domains node and then clicking Import Trusted Publishing Domain

in the Actions pane.

Figure 18-14 describes the interaction between trusted publishing domains.

Figure 18-14 Trusted publishing domain interaction.

SLC, private key,

and templates (.XML file)

Don

Northwind

Traders

Adatum

1

4 5

Kim 3

2

Chapter 18: Active Directory Rights Management Services 731

1. Northwind Traders exports its SLC, private key, and rights policy templates to ADatum

in XML format.

2. ADatum imports the XML file and specifies Northwind Traders as a trusted publishing

domain.

3. Kim (an employee at Northwind Traders) sends Don a rights-protected document that

originally had a publishing license assigned by the RMS cluster at Northwind Traders.

4. Don receives the content and, in his attempt to open it, sends his RAC and publishing

license to his local AD RMS licensing cluster at ADatum.

5. The AD RMS cluster at ADatum can decrypt the publishing license issued by the

Northwind Traders RMS cluster and confirms that Don is named in the publishing

license. It then issues a use license to Don.

Note In order for the publishing license to route to the AD RMS cluster at the

ADatum location, DNS records will need to be modified so that the URL in the publishing

license is resolved to the IP of the ADatum-based licensing cluster instead of the licensing

cluster located at Northwind Traders.

Federated Identity Support

Windows Server 2008 AD RMS supports the ability to leverage the federated trust created

between two forests or two organizations through the use of Active Directory Federation

Services (AD FS). This allows for the use of a single AD RMS infrastructure for all members of

the federated trust. A user wanting to publish or consume rights-protected information can

use the account credentials established by the federated trust relationship for obtaining an

RAC from an AD RMS cluster.

More Info For more information about Active Directory Federation Services, refer to

Chapter 19, “Active Directory Federation Services.”

Identity Federation Support is an optional component that has to be installed when the AD

RMS server is installed. If you choose to install the Identity Federation Support Role Service,

you will also be prompted to include the Active Directory Federation Services Claims-aware

Agent as a supporting role service. During the installation, you will also be required to specify

the federation server that the AD RMS cluster will communicate with.

Note Communication between the AD FS server and the AD RMS cluster requires an SSL￾encrypted connection. It is recommended that you use a certificate issued by a certification

authority trusted by all clients taking part in the AD RMS solution. You can create a self-signed

certificate for small-scale or test scenarios; however, you must manually install the certificate

on all clients communicating with the servers.

732 Part V: Identity and Access Management with Active Directory

After installing the Identity Federation Support role service, a new node will appear in the

Active Directory Rights Management Services console. You can select the Federated Identity

Support node and enable Active Directory Federation Service, as shown in Figure 18-15.

Figure 18-15 Viewing the Federated Identity Support node.

By default, any RAC issued to a federated identity has a unique validity period of one day. This

can be modified by accessing the Federated Identity Support Properties box. You can also

configure a specific location of an AD RMS certification server that should be used to issue

RACs to external users. Figure 18-16 shows an illustration of the Federated Identity Support

Properties box.

Figure 18-16 Configuring Active Directory Federation Service Policies.

Chapter 18: Active Directory Rights Management Services 733

Important Be sure to consider the impact of enabling proxy e-mail addresses through a

federated trust. If this is allowed, it is possible for a malicious user to spoof the identity of a user

and access rights-protected content. This feature is disabled, by default.

Managing Rights Policy Templates

When using an AD RMS–enabled application to publish protected content, a user applies a

specific rights policy template selected from a list of available templates. AD RMS administra￾tors create and manage the rights policy templates that are available to an AD RMS–enabled

application. To create and manage Rights Policy Templates, you select the Rights Policy

Templates node in the Active Directory Rights Management Services console. There are two

types of rights policy templates that can be configured:

■ Distributed Rights Policy Templates When you configure a distributed rights policy

template, the template is made available to users to apply rules and conditions to

protected content. If you need to retire a distributed template, you can select the

template and then archive the template to remove it from general use.

■ Archived Rights Policy Templates An archived rights policy template is a template that is

not available to users. Typically, an archived template is used to design templates or

create starter templates that can then be copied, modified, and distributed to AD RMS

clients. A rights policy template can also be archived when it should not be used to

publish new content, but is still required because of older content still available with

this template applied.

By default, all rights policy templates are stored in the configuration database used by AD

RMS. However, templates can also be copied to a shared folder and then deployed to

workstations to provide local access to the rights policy templates and allow for offline

creation of rights-protected content.

Creating a New Distributed Rights Policy Template

Use the following steps to create a new distributed rights policy template:

1. In the Active Directory Rights Management Services console, select Rights Policy

Templates and then click Create Distributed Rights Policy Template.

2. On the Add Template Identification Information page, select the language that is

supported on your client computers. When you click Add, you can specify the Language

and then provide a Name and Description for the template. Figure 18-17 illustrates the

template identification information for a new template named Adatum Internal Use

Only.

734 Part V: Identity and Access Management with Active Directory

Figure 18-17 Specifying the template identification information.

3. On the Add User Rights page, you can specify rights for users or groups within the

organization. You have the choice of specifying the e-mail address for a user or group, or

you can choose to apply this template to everyone who can acquire an RAC (including

AD FS and Windows live ID users) by selecting Anyone. You also have the option to

grant the author of the document full control right with no expiration and to provide a

URL that can be used to grant user requests for additional rights. A rights request URL

is typically in the form of a mailto: URL for users to request additional rights via an

e-mail message.

4. On the Specify Expiration Policy page, you can specify conditions for Content expiration

and Use License expiration.

5. On the Specify Extended Policy page, you can configure the following options:

❑ Enable Users To View Protected Content Using A Browser Add-On This allows

users to view protected information with the Information Rights Management

Add-on for Internet Explorer. If you do not select this option, the content can only

be viewed using the application that created it.

❑ Require A New Use License Every Time Content Is Consumed (Disable Client-Side

Caching) Select this option if you want users to have to connect to the AD RMS

cluster and acquire a new use license each time they open content based upon

this template. If this option is not selected, a client can use a cached version of the

use license to consume content.

❑ If You Would Like To Specify Additional Information For Your AD RMS-Enabled

Application, You Can Specify Them Here As Name-Value Pairs This option

provides the ability to add application-specific settings to the policy template.

6. On the Specify Revocation Policy, you can specify whether or not protected content

may be revoked based upon a revocation list. You can enable the feature and provide a

location where the revocation list and file containing the public key is located.

7. After a rights policy template has been created, you can access a rights summary report

by selecting the new template and then clicking View Rights Summary. Figure 18-18

shows an illustration of the User Rights Summary report.

Chapter 18: Active Directory Rights Management Services 735

Figure 18-18 Viewing the User Rights Summary report.

Note Creating a new archived rights policy template follows the same process and steps as

the creation of a distributed rights policy template.

Distributing Rights Policy Templates

In order for users to create rights-protected information using a rights policy template, they

need to have access to the template. Rights policy templates can be made available from a

shared network location for use by internal network users. For mobile users who are not

connected to the network at all times, you can copy the templates to a location on the local

computer. The AD RMS client built into Windows Server 2008 and Windows Vista SP1 has

the ability to automatically detect and update local copies of rights policy templates.

How It Works: Distributing AD RMS Rights Policy Templates

Automatically with Windows Server 2008 and Windows Vista SP1

To ease administration of AD RMS rights policy templates, Windows Server 2008 and

Windows Vista with Service Pack 1 (SP1) introduces a new template distribution

pipeline on all servers in the AD RMS cluster. This new pipeline allows an AD RMS client

to request the rights policy templates from the cluster and store them locally on the

AD RMS client.

AD RMS rights policy templates are requested from the AD RMS client by using a

scheduled task. Two scheduled tasks are available: automated or manual. The manual

scheduled task can be run at any time. The automated scheduled task is configured to

run one hour after a user logs into the computer and every morning at 03:00. This

scheduled task is disabled by default. You can enable it by using the Task Scheduler

Control Panel or by using a Group Policy object.

For AD RMS clients that are not running Windows Vista with SP1 or Windows Server

2008, you must still distribute the rights policy templates manually from a central

location. For more information about distributing AD RMS rights policy templates, see

the “Creating and Deploying Active Directory Rights Management Services Rights Policy