Abstract
This step-by-step guide provides instructions for deploying Microsoft Office SharePoint Server
2007 in an Active Directory Rights Management Services (AD RMS) environment. It includes the
necessary information for installing and configuring Office SharePoint Server 2007 in the newly
created AD RMS infrastructure, and verifying that Office SharePoint Server 2007 documents can
be rights-protected and consumed. In the appendix of this guide, you can also configure Office
SharePoint Server 2007 to work with Active Directory Federation Services (AD°FS) and AD RMS.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the example
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, MS-DOS, SharePoint, Vista, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint
Server 2007................................................................................................................ ...............14
About this Appendix....................................................................................................... ............14
Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment............15
Step 1: Setting up the infrastructure................................................................... .......................17
Step 2: Configuring Office SharePoint 2007 to work with AD FS................................... ............19
Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS...........24
Deploying Active Directory Rights
Management Services with Microsoft Office
SharePoint Server 2007 Step-By-Step Guide
Important
Windows SharePoint Services 3.0 does not have the Microsoft® Office protector files that
are required to automatically rights-protect a document when it is uploaded. You must
use Office SharePoint Server 2007 to do this.
This guide assumes that you previously completed the Active Directory Rights Management
Services Step-by-Step Guide, and that you have already deployed the following components:
• One Active Directory domain controller
• An AD RMS server
• An AD RMS database server
• An AD RMS-enabled client
In this guide, you will create a test deployment that includes an Office SharePoint Server 2007
server.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting
them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate
network. The goal of integrating an Office SharePoint Server 2007 deployment with an AD RMS
infrastructure is to be able to protect documents that are downloaded from the Office SharePoint
Server 2007 server by users of any given organization.
Note
Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents
while they are on the server. When a document is uploaded to an Office SharePoint
Server 2007 site, the server removes all protection until a download request is received
by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server
2007 server applies the appropriate restrictions to the document before it is downloaded
to the client computer.
4
What This Guide Does Not Provide
This guide does not provide the following:
• An overview of AD RMS. For more information about the advantages that AD RMS
can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
• Guidance for setting up and configuring AD RMS in a production environment.
• Guidance for integrating Office SharePoint Server 2007 with AD RMS in a production
environment.
• Complete technical reference for AD RMS.
• Complete information about Office SharePoint Server 2007. For more information,
see http://go.microsoft.com/fwlink/?LinkId=74460.
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005
with Service Pack 2 (SP2)
required. Otherwise,
Windows Server 2003 with SP1
can be used.
Note
Before installing and configuring the components in this guide, you should verify that your
hardware meets the minimum requirements for AD RMS
(http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This step-by-
step exercise uses private addresses throughout the test lab configuration. The private network
ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the
domain named cpandl.com. The following figure shows the configuration of the test environment:
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
6
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
Next, configure TCP/IP properties so that SPS-SRV has a static IP address of 10.0.0.6. In
addition, configure the Domain Name System (DNS) Server service by using the IP address of
CPANDL-DC (10.0.0.1).
7
Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Select the Use the following IP address option. In the IP address box, type
10.0.0.6. In Subnet mask box, type 255.255.255.0.
5. Select the Use the following DNS server addresses option. In the Preferred
DNS server box, type 10.0.0.1.
6. Click OK, and then click OK to close the Local Area Connection Properties
dialog box. Close the Local Area Connection Status dialog box.
8
Note
If you are using a self-signed certificate for your AD RMS cluster, you must import it into
the Trusted Certification Authorities certificate store on SPS-SRV before you can
consume rights-protected content.
Note
You will be asked for the Windows Server 2003 product CD in order to complete
the installation of the Application Server role.
6. Click Finish to complete the installation.
Next, install the .NET Framework 3.0. Office SharePoint Server 2007 requires the Windows
Workflow Foundation, which has been integrated into .NET Framework 3.0.
9
To install Office SharePoint Server 2007
1. Double-click setup.exe from the Office SharePoint Server 2007 product CD.
2. Enter your Product Key, and then click Continue.
3. Select the I accept the terms of this agreement check box, and then click
Continue.
4. Click Basic.
5. After installation has completed, select the Run the SharePoint Products and
Technologies Configuration Wizard now check box, and then click Close. The
installation might take 10 minutes to complete.
6. On the Welcome to the SharePoint Products and Technologies page, click
Next. Click Yes in the message confirming that the SharePoint services should be
restarted. Office SharePoint Server 2007 will also be configured at this time.
7. Click Finish to complete the installation.
10
Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office
SharePoint Server 2007 integration with AD RMS can be verified later in this guide:
Next, add the Office SharePoint Server 2007 server and AD RMS Service Group to the AD RMS
cluster server certification pipeline.
Important
By default, the AD RMS cluster server certification pipeline ACL is configured to allow
only the local System account. You must add the permissions in order for Office
SharePoint Server 2007 to integrate with AD RMS.
Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can
communicate with it, you must configure Office SharePoint Server 2007 to use the AD RMS
cluster:
11
To enable Information Rights Management in Office SharePoint Server 2007
1. Log on to SPS-SRV as CPANDL\administrator.
2. Click Start, point to Administrative Tools, and then click SharePoint 3.0
Central Administration.
3. Click Operations, and then click Information Rights Management.
4. Select the Use the default RMS server specified in Active Directory option,
and then click OK.
Create an Office SharePoint Server 2007 permission policy on the default document library. This
permission policy will be used to restrict the ability to print any documents that are uploaded to
the document library:
Note
Office SharePoint Server 2007 will automatically apply AD RMS rights to the document
when it is downloaded from the Office SharePoint Server 2007 site. These rights are
determined by the Office SharePoint Server 2007 group membership for that site. For
example, a user who is in the Visitors Office SharePoint Server 2007 group will not be
able to modify the document when it is downloaded from the Office SharePoint Server
2007 site.
12
rights-enabled document library configured such that users who download the document will not
be able to print it. You then log on as Stuart Railson, download the document from the Office
SharePoint Server 2007 site and verify that the ability to print the document has been restricted.
Before you can consume rights-protected content, you must add SPS-SRV to the Local Intranet
security zone.
Next, log on a Nicole Holliday and create a Microsoft Word 2007 document and upload it to the
Office SharePoint Server 2007 site.
Note
Since Nicole Holliday is the author of this document, she will have full rights to
the document, regardless of the AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to All Programs, and then click Internet Explorer.
5. Type http://SPS-SRV/ in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select
ADRMS-TST, and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on
the library.
9. Log off as Nicole Holliday.
13
Finally, log on as Stuart Railson and open the document from the Office SharePoint Server 2007
site.
You have successfully deployed, integrated, and demonstrated the functionality of AD RMS and
Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office
Word 2007 document to an Office SharePoint Server 2007 site. You can also use this deployment
to explore some of the additional capabilities of AD RMS through additional configuration and
testing.
14
• Windows Server Active Directory Rights Management Services Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=54964)
• Using Identity Federation with Active Directory Rights Management Services Step-by-
Step Guide (http://go.microsoft.com/fwlink/?LinkId=72135)
• The first three steps of Deploying Active Directory Rights Management Services with
Microsoft Office SharePoint Server 2007 Step-By-Step Guide
In this appendix, you will configure the test environment configured in the step-by-step guides
referenced above to include federated support for Office SharePoint Server 2007.
Note
Domain controllers
running Windows 2000
Server with Service
Pack 4 can be used.
However, in this step-by-
step guide it is assumed
that you will be using
domain controllers running
Windows Server 2003 with
SP1.
15
Computer Name Operating System Applications and Services
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005
Standard Edition
The computers form two private intranets and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment, if desired. This
appendix exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named
cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is
TREY-DC. The following figure shows the configuration of the test environment:
16
Step 1: Setting up the infrastructure
The following steps should be taken to prepare the existing test infrastructure for configuring
AD FS with Office SharePoint Server 2007:
• Install the claims-aware applications Windows component on SPS-SRV.
• Add a DNS host name record to the CPANDL.COM domain so that federated users
can access the Office SharePoint Server 2007 Web site.
• Add the external SharePoint Web site as a claims-aware application on ADFS-
RESOURCE.
17
Note
Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007
to work together. To download Windows Server 2003 with SP2, see
http://go.microsoft.com/fwlink/?LinkId=98598.
First, add the claims-aware application Windows component. This component is required for
AD FS and interfaces with the AD FS federation servers to submit claims.
Note
You will be asked for the Windows Server 2003 R2 product CD in order to
complete the installation of the claims-aware applications Windows component.
8. Click Finish to complete the installation.
Next, add a DNS host name record is required in the CPANDL.COM domain so that federated
users in the TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web
site.
To create a DNS host name record for the external Office SharePoint Server 2007 Web
site
1. Log on to CPANDL-DC as cpandl\administrator or another user account in the
local Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New
Host (A).
4. In the Name box, type external-sps.
5. In the IP Address box, type 10.0.0.6, and then click Add Host.
6. Click OK, confirming that the host record was successfully created.
7. Click Done.
Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFS-
RESOURCE: This should be done before a user is added to doc library.
18
To add the external SharePoint Web site as a claims-aware Windows application on
ADFS-RESOURCE
1. Log on to ADFS-RESOURCE as cpandl\adfsadmin or another user account in
the local Administrators group.
2. Click Start, point to Administrative Tools, and then click Active Directory
Federation Services.
3. If the User Account Control dialog box appears, confirm that the action it
displays is what you want, and then click Continue.
4. Expand Federation Services, expand Trust Policy, and then expand My
Organization.
5. Right-click Applications, point to New, and then click Application.
6. On the Welcome to the Add Application Wizard, click Next.
7. Select the Claims-aware application option, and then click Next.
8. In the Application display name box, type External SharePoint Web site.
9. In the Application URL box, type https://external-sps.cpandl.com, and then
click Next.
10. Select the E-mail check box, and then click Next.
11. Select the Enable this application check box, and then click Next.
12. Click Finish.
To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone
on SPS-SRV.
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local
Administrators group.
19
2. Click Start, point to Administrative Tools, and then click SharePoint 3.0
Central Administration.
3. Click Application Management, click Create or Extend Web application, and
then click Extend an existing Web application.
4. Select the Create a new Web site option, and then type External Users Web
site in the Description box.
5. In the Web Application box, click Change Web Application, and then click
http://sps-srv.
6. In the Port box, type 443.
7. In the Host header box, type external-sps.cpandl.com.
8. In the Secure Sockets Layer (SSL) box, select the Yes option.
9. In the URL box, type https://external-sps.cpandl.com.
10. In the Zone box, click Extranet.
11. Click OK.
Before proceeding with this appendix, verify that the internal Web site was correctly extended. To
do this, open the Alternate Access Mappings and ensure that external-sps.cpandl.com is
available.
Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS
requires an SSL connection for all claims-aware Windows applications.
To add an SSL certificate to the external Office SharePoint 2007 Web site
1. Click Start, point to Administrative Tools, and then click Internet Information
Services (IIS) Manager.
2. Expand Web Sites, right-click External Users Web site, and then click
Properties.
3. Click Directory Security, and then click Server Certificate.
4. On the Welcome to the Web Server Certificate Wizard page, click Next.
5. Choose whether to import from an existing certificate file or request a new
certificate.
6. After the certificate is imported, close the External Users Web site properties
sheet.
Next, configure the authentication provider on the external Web site to use Web Single Sign On
(SSO).
20
To configure the authentication provider of the Extranet Web application to use Web
SSO
1. Click Start, point to Administrative Tools, and then click SharePoint 3.0
Central Administration, and then click Application Management.
2. Under the Application Security heading, click Authentication providers.
3. In the Web application box, click Change Web Application, and then click
SharePoint - 80.
4. Click Extranet.
5. For Authentication Type, select the Web single sign on option.
6. In the Membership provider name box, type
SingleSignOnMembershipProvider2.
7. In the Role manager name box, type SingleSignOnRoleProvider2.
8. For Enable client integration, select the No option, and then click Save.
Next, configure the internal Web application to accept claims from the external Web site by
editing the web.config file for the internal Web site:
To configure the internal Web site to accept claims from the external Web site
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, clear the
Always use the selected program to open this kind of file check box, and then
click OK.
4. Add the following text under the line that reads <authentication mode
="Windows" />:
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" fs="https://adfs-
resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
<providers>
21
PublicKeyToken=31bf3856ad364e35" fs="https://adfs-
resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>
Important
If the internal SharePoint Web site is not able to resolve Terence Philip using the
procedure above, you should ensure all of the previous steps were completed correctly
before continuing through the rest of this appendix.
Next, edit the web.config file on the external Web site. There are several entries that must be
made to put each individual entry into its own procedure.
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
22
5. Click File, and then click Save.
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
23
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://external-sps.cpandl.com</returnurl>
</urls>
<fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
24
4. Click the Security tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to the zone, type https://external-sps.cpandl.com,
and then click Add.
7. Click close.
Next, log on to ADRMS-CLNT as Nicole Holliday and create a Microsoft Word 2007 document
and upload it to the Office SharePoint Server 2007 site.
Note
Since Nicole Holliday is the author of this document, she will have full rights to
the document, regardless of the AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to All Programs, and then click Internet Explorer.
5. Type http://SPS-SRV/ in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select
ADRMS-TST, and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on
the library.
9. Log off as Nicole Holliday.
Finally, log on to ADRMS-CLNT2 as Terrence Philip and open the document from the external
Office SharePoint Server 2007 site.
25
restricted. Microsoft Office must connect to https://adrms-
srv.cpandl.com/_wmcs/licensing to verify your credentials and download your
permission."
7. Click OK.
8. The following message will appear: "Verifying your credentials for opening
content with restricted permissions".
9. Click OK in the full screen reading view message, and then click Close to close
the full screen reading view.
10. Click the Microsoft Office button. The Print command is disabled.
You have successfully deployed, integrated, and demonstrated the functionality of AD RMS,
AD FS, and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft
Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use this
deployment to explore some of the additional capabilities of AD RMS through additional
configuration and testing.
26