virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties Venkatesh Swaminathan │ Solution Specialist, Microsoft
Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions virtual techdays INDIA │ august 2010 S E S S I O N A G E N D A
PROTECT everywhere ACCESS anywhere SIMPLIFY security, MANAGE compliance Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information INTEGRATE and EXTEND security Secure Collaboration Secure, seamless access Secure, seamless access Protect sensitive information in documents Protect sensitive information in documents Best-in-class anti- malware Best-in-class anti- malware Enterprise-wide visibility Enterprise-wide visibility Easier partner management Easier partner management Deep Microsoft SharePoint and Office integration Deep Microsoft SharePoint and Office integration Standards-based interoperability across organizations and cloud Standards-based interoperability across organizations and cloud
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
AD Rights Management Services Persistent Protection + Encryption Policy: Access Permissions Use Right Permissions Provides identity-based protection for sensitive data Controls access to information across the information lifecycle Allows only authorized access based on trusted identity Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery
How does RMS work? Information AuthorThe Recipient RMS Server SQL Server Active Directory Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file 3.Author distributes file 4.Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 5.Application renders file and enforces rights 1.Author receives a client licensor certificate the first time they rights-protect information 1
Active Directory Rights Management Services AD RMS is a server role in Windows Server 2008 and 2008 R2 The AD RMS client supports Windows XP- Windows 7 Microsoft IRM enabled applications include: Office Exchange Server 2007 & 2010 SharePoint 2007 & 2010 – Sharing protected content is disabled by default ADRMS requires additional configuration to share content outside of the protection domain Provides control to the IT administrator to determine sharing relationships
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS concepts and deployment within the Enterprise Enable secure collaboration using AD RMS – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
Basic AD RMS Deployment Corporate Network RMS Cluster RACCLC RACCLCUL PL The Internet
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
Sharing Sensitive Content – The Default Today
Enable sharing of IRM Protected Content Allow users to securely collaborate – Enable users to share sensitive information in a seamless manner. – Sharing securely should not interfere with collaboration. Enterprises can retain control of their data – Enterprises can create policies determining who has access to content – Enterprises can manage partnerships between organizations AD RMS supports several mechanisms to enable sharing of IRM protected Content – – Trusted User Domains – Integration with Active Directory Federation Services – Integration with the Microsoft Federation Gateway
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
AD RMS Trusted User Domains AD RMS Trusted User Domains (TUD) – An AD RMS domain refers to the scope of an AD RMS certification cluster: the Active Directory forest – Not to be confused with an Active Directory domain – Allow Trust to be established between AD RMS domains. This is completely independent from AD forest or domain trust Scenario : – Enables sharing of AD RMS protected content within enterprises that have with multiple forests where users accounts are located. AD RMS Trusted User Domains are recommended for sharing content within the Enterprise
AD RMS Trusted User Domains Two entities (forests within a company) have their own AD RMS installation By default, AD RMS will not license content to users from other AD RMS installations TUD enables users from one AD RMS domain to acquire a license from a server in another domain – An AD RMS licensing server will issue a use license to a RAC issued by another trusted AD RMS cluster. RAC validation can occur after importing a trusted Server Licensor Certificate Authentication to the licensing service must be addressed
AD RMS Trusted User Domains AD RMS Forest B John in Forest A sends RM content to Monica in Forest B Monica in Forest B sends PL and RAC with request for UL from Forest B AD RMS Forest A
How AD RMS Trusted User Domains Work AD RMS Forest B 1) Export TUD from Forest 2 2) Import TUD from Forest 2 3) John in Forest A sends RM content to Monica in Forest B 5) Server uses imported SLC to verify Monica’s RAC and returns UL 4)Monica in Forest B sends PL and RAC with request for UL AD RMS Forest A
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
AD RMS Integration with Active Directory Federation Services (ADFS) AD RMS native scope is the AD forest – Can be extended to other forests via directory federation ADFS is a standards-based directory federation system – Natively supported by AD RMS Scenarios: – Extending AD RMS usage to External Parties No AD RMS is required in the external party AD and AD FS required AD RMS/ADFS is recommended for sharing IRM content outside of the Enterprise when using Office clients(Outlook, Excel, Word etc…) and SharePoint
New AD RMS Features in Windows Server 2008 R2 Group Expansion – Allows organizations to collaborate with groups of people instead of identifying external users individually – Groups are defined in the publishing organization’s directory – ADRMS will access the local Active Directory to look up the group membership 3 rd Party Federation Support – Enables AD RMS to work with non-ADFS Security Token Services – Uses Forms Based Authentication
1. Assume author is already bootstrapped 2. Author sends protected mail to recipient at Fabrikam 3. Recipient contacts RMS server to get bootstrapped 4. WebSSO agent intercepts request 5. RMS client is redirected to FS-R for home realm discovery 6. RMS client is redirected to FS-A for authentication 7. RMS client is redirected back to FS-R for authentication 8. RMS client makes request to RMS server for bootstrapping 9. WebSSO agent intercepts request, checks authentication, and sends request to RMS server 10. RMS server returns bootstrapping certificates to recipient 11. RMS server returns use license to recipient 12. Recipient accesses protected content ContosoFabrikam AD RMS AD FS-A FS-R 1 RACCLC PL 2 WebSSO RACCLC 10 UL Scenario AD RMS Integration with AD FS Scenario
AD RMS Integration with AD FS Tips for enabling AD FS integration with AD RMS – Both organizations must have ADFS installed and deployed – Grant Security Audit Privileges to the AD RMS Service Account – Add an Extranet URL – Ensure SSL has been enabled for the AD RMS cluster – Install the ADFS Sub-role for AD RMS Provide the uri to the ADFS server during this step – Enable the feature via the ADRMS MMC Console\ – Remember Home Realm discovery registry key must be deployed to clients.
Session Objectives Overview of Active Directory Rights Management Services (AD RMS) AD RMS within an Enterprise environment Enable secure collaboration using AD RMS – – AD RMS Trusted User Domains – AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway Questions
AD RMS Integration with the Microsoft Federation Gateway Microsoft Federation Gateway (MFG) – Identity service that runs in the cloud (over the Internet and beyond your corporate network domain) – Allow users from one federated organization to be trusted by another federated organization. Scenarios: – Extends AD RMS usage to External Parties for Exchange 2010 Sp1 IRM features No AD RMS is required in the external party Enables IRM in OWA, Transport Decryption, Journal Decryption for B2B Scenarios Requires AD RMS Windows Server 2008 R2 Sp1
AD RMS Integration with MFG Jane Marcus Exchange 2010 Fabrikam may also have their own RMS deployment
AD RMS Integration with MFG Jane Marcus Exchange 2010
AD RMS Integration with MFG Jane Marcus Exchange 2010
AD RMS Integration with MFG Jane Marcus Exchange 2010 Jane could have protected the message at OWA/OLK
AD RMS Integration with MFG Jane Marcus Exchange 2010
AD RMS Integration with MFG Jane Marcus Exchange 2010 Fabrikam will cache the RAC to use in future requests RAC
AD RMS Integration with MFG Jane Marcus Exchange 2010 All proxy addresses of the federated Identity are included in the Token
AD RMS Integration with MFG Jane Marcus Exchange 2010 The Use License call is batched and a single MFG token is presented for all recipients UL
AD RMS Integration with MFG Jane Marcus Exchange 2010 The Use License will be used to decrypt the message for OWA, Transport Decryption, Journal Report Decryption
AD RMS Integration with MFG Tips for enabling MFG integration within RMS – Install Windows Server 2008 R2 Sp1 on all AD RMS front end machines – Remember to back-up the database prior to upgrade – Add MFG support via the AD RMS MMC console – Creates new IIS virtual directories and updates configuration of AD RMS – Register the AD RMS cluster with the MFG – Requires RMS to be deployed with SSL – SSL Certificate use to authenticate with the MFG – Enable the Feature
Questions?