· Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide
This step-by-step guide walks you through the process of
deploying Active Directory Rights Management Services (AD RMS) and
Microsoft Office SharePoint Server 2007 together in a test environment.
Specifically, this guide shows you how to add an Office SharePoint Server 2007
to an existing AD RMS environment.
Important
Windows SharePoint Services 3.0 does not have the Microsoft®
Office protector files that are required to automatically rights-protect a
document when it is uploaded. You must use Office SharePoint Server 2007 to do
this.
This guide assumes that you previously completed the Active
Directory Rights Management Services Step-by-Step Guide, and that you have
already deployed the following components:
· One
Active Directory domain controller
· An
AD RMS server
· An
AD RMS database server
· An
AD RMS-enabled client
In this guide, you will create a test deployment that
includes an Office SharePoint Server 2007 server.
Office SharePoint Server 2007 provides an easy way to
collaborate on documents by posting them to an Office SharePoint Server 2007
site so that they can be accessed over the corporate network. The goal of
integrating an Office SharePoint Server 2007 deployment with an AD RMS
infrastructure is to be able to protect documents that are downloaded from the
Office SharePoint Server 2007 server by users of any given organization.
Note
Integrating Office SharePoint Server 2007 with AD RMS
does not protect the documents while they are on the server. When a document is
uploaded to an Office SharePoint Server 2007 site, the server removes all
protection until a download request is received by the Office SharePoint Server
2007 server. At this time, the Office SharePoint Server 2007 server applies the
appropriate restrictions to the document before it is downloaded to the client
computer.
· What This Guide Does Not Provide
This guide does not provide the following:
· An
overview of AD RMS. For more information about the advantages that
AD RMS can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
· Guidance
for setting up and configuring AD RMS in a production environment.
· Guidance
for integrating Office SharePoint Server 2007 with AD RMS in a production
environment.
· Complete
technical reference for AD RMS.
· Complete
information about Office SharePoint Server 2007. For more information, see http://go.microsoft.com/fwlink/?LinkId=74460.
· Deploying AD RMS in a Test Environment
We recommend that you use the steps provided in the
"Windows Server Active Directory Rights Management Services Step-by-Step
Guide" before completing the steps in this guide. Step-by-step guides are
not necessarily meant to be used to deploy Microsoft products without
additional documentation and should be used with discretion as a stand-alone document.
Upon completion of this step-by-step guide, you will have a
working AD RMS infrastructure integrated with Office SharePoint Server
2007. You can then test AD RMS and Office SharePoint Server 2007
functionality as follows:
· Create
a Microsoft Office Word 2007 document in the CPANDL domain.
· Upload
this document to the Office SharePoint Server 2007 document library.
· Have
an authorized user in the CPANDL domain open and work with the document.
The test environment described in this guide includes five
computers connected to a private network and using a clean installation of the
following operating systems, applications, and services:
Computer Name
|
Operating System
|
Applications and Services
|
CPANDL-DC
|
Windows Server® 2003 with Service Pack 1
(SP1)
|
Active Directory, Domain Name System (DNS)
|
ADRMS-SRV
|
Windows Server® 2008
|
AD RMS, Internet Information Services (IIS) 7.0,
and Message Queuing
|
ADRMS-DB
|
Windows Server 2003 with SP1
|
Microsoft SQL Server™ 2005 with Service Pack 2
(SP2)
|
SPS-SRV
|
Windows Server 2003 R2 Standard Edition. Windows
Server 2003 R2 must be used if federated identity support with
Office SharePoint Server 2007 is required. Otherwise,
Windows Server 2003 with SP1 can be used.
|
Office SharePoint Server 2007
|
ADRMS-CLNT
|
Windows Vista®
|
Microsoft Office Word 2007 Enterprise Edition
|
Note
Before installing and configuring the components in this
guide, you should verify that your hardware meets the minimum requirements for
AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form a private intranet and are connected
through a common hub or Layer 2 switch. This configuration can be emulated
in a virtual server environment if desired. This step-by-step exercise uses
private addresses throughout the test lab configuration. The private network ID
10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC
for the domain named cpandl.com. The following figure shows the configuration
of the test environment:
· Step 1: Installing and Configuring SPS-SRV
To prepare your AD RMS test environment in the CPANDL
domain, you must complete the following tasks:
Use the following table as a reference when setting up the
appropriate computer name, operating system, and network settings that are
required to complete the steps in this guide.
Important
Before you configure your computers with static Internet
Protocol (IP) addresses, we recommend that you first complete Windows product
activation while each of your computers still has Internet connectivity. You
should also install any available critical security updates from Windows Update
(http://go.microsoft.com/fwlink/?LinkID=47370).
Computer name
|
Operating system requirement
|
IP settings
|
DNS settings
|
SPS-SRV
|
Windows Server 2003 R2, Standard Edition
Important
In order to use Active Directory Federation Services
(AD FS) with Office SharePoint Server 2007, you must install Windows
Server 2003 R2 with Service Pack 2 (SP2).
|
IP address:
10.0.0.6
Subnet mask:
255.255.255.0
|
10.0.0.1
|
· Configure the Office SharePoint Server (SPS-SRV)
To configure the Office SharePoint Server 2007 server
SPS-SRV, you must:
1. Install Windows Server 2003 R2 Standard
Edition.
2. Configure TCP/IP properties.
3. Join the computer to the cpandl.com domain.
4. Install the Rights Management Services (RMS)
client with SP2.
To install
Windows Server 2003 R2 Standard Edition
1. Start your computer by using the Windows
Server 2003 R2 Standard Edition product CD.
2. When prompted for the installation type,
choose Custom Installation.
3. When prompted for a computer name, type SPS-SRV.
4. Follow the rest of the instructions that
appear on your screen to finish the installation.
|
Next, configure TCP/IP properties so that SPS-SRV has a
static IP address of 10.0.0.6. In addition, configure the Domain Name System
(DNS) Server service by using the IP address of CPANDL-DC (10.0.0.1).
To configure TCP/IP Properties
1. Log on to SPS-SRV with the
SPS-SRV\Administrator account or another user account in the local
Administrators group.
2. Click Start, point to
Control Panel, point to Network
Connections, double-click Local Area Connection,
and then click Properties.
3. On the General tab,
click Internet Protocol (TCP/IP), and then click Properties.
4. Select the Use the following
IP address option. In the IP address box, type 10.0.0.6. In Subnet mask
box, type 255.255.255.0.
5. Select the Use the following
DNS server addresses option. In the Preferred DNS
server box, type 10.0.0.1.
6. Click OK, and then
click OK to close the Local Area
Connection Properties dialog box. Close the Local Area
Connection Status dialog box.
|
Next, join SPS-SRV to the cpandl.com domain.
To join SPS-SRV to the cpandl.com
domain
1. Click Start,
right-click My Computer, and then click Properties.
2. Click Computer Name
tab, and then click Change.
3. In the Computer Name Changes
dialog box, click Domain, and then type cpandl.com.
4. Click More, and type cpandl.com in Primary
DNS suffix of this computer box.
5. Click OK twice.
6. When a Computer Name Changes
dialog box appears prompting you for administrative credentials, provide the
credentials for CPANDL\Administrator, and then click OK.
7. When a Computer Name Changes
dialog box appears welcoming you to the cpandl.com domain, click OK.
8. When a Computer Name Changes
dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
9. Click Yes to restart
the computer.
|
Finally, install the RMS client with SP2 on SPS-SRV.
To install the RMS client with SP2
1. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736.
If you are using a 64-bit version Windows Server 2003, download the
64-bit version of the RMS client from http://go.microsoft.com/fwlink/?LinkId=67935.
2. Double-click
WindowsRightsManagementServicesSP2-KB917275-Client-ENU.exe to start the
installation.
3. Click Next.
4. Select the I agree
option to accept the End User License Agreement, and then click Next twice to start the installation.
5. Click Close to
finish the installation.
|
Note
If you are using a self-signed certificate for your
AD RMS cluster, you must import it into the Trusted Certification
Authorities certificate store on SPS-SRV before you can consume
rights-protected content.
· Install Office SharePoint Server 2007
To install Office SharePoint Server 2007, you must complete
the following steps in the following order:
1. Add the Application Server role to SPS-SRV.
2. Install Microsoft .NET Framework 3.0.
3. Install Office SharePoint Server 2007.
Office SharePoint Server 2007 uses the Application Server
role, which contains IIS and ASP.NET, to host Office SharePoint Server 2007
document libraries. To install the Application Server role, you must complete
the following steps:
To add the Application Server role
1. Click Start, point to
All Programs, point to Administrative
Tools, and then click Manage Your Server.
2. Click Add or remove a role.
3. On the Preliminary Steps
page of the Configure your Server Wizard, click Next.
4. Click Application Server
(IIS, ASP.NET), and then click Next.
5. Select the Enable ASP.NET check
box, and then click Next twice.
Note
You will be asked for the Windows Server 2003
product CD in order to complete the installation of the Application Server
role.
6. Click Finish to
complete the installation.
|
Next, install the .NET Framework 3.0. Office SharePoint
Server 2007 requires the Windows Workflow Foundation, which has been integrated
into .NET Framework 3.0.
To install .NET Framework 3.0
1. Download Microsoft .NET Framework 3.0 from http://go.microsoft.com/fwlink/?LinkId=73912.
2. Double-click dotnetfx3setup.exe,
and then click Run in the Open File -
Security Warning dialog box.
3. Click the I have read and
ACCEPT the terms of the License Agreement option, and then click Install.
4. Click Exit to
complete the installation.
|
Next, install Office SharePoint Server 2007.
To install Office SharePoint
Server 2007
1. Double-click setup.exe
from the Office SharePoint Server 2007 product CD.
2. Enter your Product Key, and then click Continue.
3. Select the I accept the
terms of this agreement check box, and then click Continue.
4. Click Basic.
5. After installation has completed, select
the Run the SharePoint Products and Technologies Configuration
Wizard now check box, and then click Close. The
installation might take 10 minutes to complete.
6. On the Welcome to the
SharePoint Products and Technologies page, click Next. Click Yes in the message
confirming that the SharePoint services should be restarted. Office
SharePoint Server 2007 will also be configured at this time.
7. Click Finish to
complete the installation.
|
· Step 2: Configuring AD RMS to Work with SPS-SRV
After Office SharePoint Server 2007 has been installed,
there are several tasks that must be completed to integrate Office SharePoint
Server 2007 with AD RMS:
· Add
the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer
zone.
· Add
three user accounts, CPANDL\Administrator, Nicole Holliday, and Stuart Railson,
to the SharePoint site.
· Add
the Office SharePoint Server 2007 server to the AD RMS server
certification pipeline.
· Enable
Information Rights Management in Office SharePoint Server 2007.
· Restrict
permissions by using AD RMS.
First, add the Office SharePoint Server 2007 site to the
Internet Explorer Local Intranet zone on the Office SharePoint Server 2007
computer.
To add SPS-SRV to Local Intranet
1. Log on to SPS-SRV as cpandl\administrator.
2. Click Start, point to
Control Panel, and then click Internet
Options.
3. Click the Security
tab, click Local Intranet, and then click the Sites button.
4. Type http://SPS-SRV,
and then click Add.
5. Click Close, and then
click OK.
|
Next, give Nicole Holliday and Stuart Railson access to the
SharePoint site so that the Office SharePoint Server 2007 integration with
AD RMS can be verified later in this guide:
To add Nicole Holliday and Stuart
Railson to the SharePoint site
1. Click Start, point to
All Programs, and then click Internet
Explorer.
2. Type http://SPS-SRV
in the address bar, and then click Go. This will open
the default Office SharePoint Server 2007 site that was created during
installation.
3. Click Site Actions,
point to Site Settings, and then click People
and Groups.
4. Click New, and then
click Add Users.
5. Type nhollida@cpandl.com;srailson@cpandl.com
in the Users/Groups box, and then click OK.
A list of users who have permission to use the SharePoint site is displayed.
|
Next, add the Office SharePoint Server 2007 server and
AD RMS Service Group to the AD RMS cluster server certification
pipeline.
Important
By default, the AD RMS cluster server certification
pipeline ACL is configured to allow only the local System account. You must add
the permissions in order for Office SharePoint Server 2007 to integrate with
AD RMS.
To add SPS-SRV to the AD RMS
Certification Pipeline
1. Log on to ADRMS-SRV as
CPANDL\Administrator.
2. Click Start, and then
click Computer.
3. Navigate to
C:\Inetpub\wwwroot\_wmcs\Certification.
4. Right-click ServerCertification.asmx,
click Properties, and then click the Security
tab.
5. Click Advanced, click
Edit, select the Include inheritable
permissions from this object's parent check box, and then click OK two times.
6. Click Edit, and then
click Add.
7. Click Object Types,
select the Computers check box, and then click OK.
8. Type SPS-SRV, and
then click OK.
9. Click OK to close the
ServerCertification.asmx Properties sheet.
By default the Read & execute and the Read
permissions are configured for the SPS-SRV computer account object and all
other accounts inherited from the parent folder.
10. Click Start, and then
click Command Prompt.
11. Type iisreset,
and then press ENTER.
|
Once the AD RMS cluster certification pipeline has been
allowed so that SPS-SRV can communicate with it, you must configure Office
SharePoint Server 2007 to use the AD RMS cluster:
To enable Information Rights
Management in Office SharePoint Server 2007
1. Log on to SPS-SRV as CPANDL\administrator.
2. Click Start, point to
Administrative Tools, and then click SharePoint
3.0 Central Administration.
3. Click Operations, and
then click Information Rights Management.
4. Select the Use the default
RMS server specified in Active Directory option, and then click OK.
|
Create an Office SharePoint Server 2007 permission policy on
the default document library. This permission policy will be used to restrict
the ability to print any documents that are uploaded to the document library:
To restrict permissions using
AD RMS
1. Log on as cpandl\Administrator.
2. Click Start, point to
All Programs, and then click Internet
Explorer.
3. Type http://SPS-SRV
in the address bar, and then click Go.
4. Click Document Center,
click Documents, click Settings,
and then click Document Library Settings.
5. Under the Permissions and
Management heading, click Information Rights Management.
6. Select the Restrict permission
to documents in this library on download check box.
7. Type CPANDL
Protected in the Permissions policy title box.
8. Type Restrict
CPANDL employees from printing in the Permission policy
description box.
9. Click OK.
|
Note
Office SharePoint Server 2007 will automatically apply
AD RMS rights to the document when it is downloaded from the Office
SharePoint Server 2007 site. These rights are determined by the Office
SharePoint Server 2007 group membership for that site. For example, a user who
is in the Visitors Office SharePoint Server 2007 group will not be able to
modify the document when it is downloaded from the Office SharePoint Server
2007 site.
· Step 3: Verifying AD RMS Functionality using ADRMS-CLNT
To verify the functionality of the AD RMS deployment,
you log on as Nicole Holliday, create a new Microsoft Word 2007 document,
and upload it to the Office SharePoint Server 2007 site into a rights-enabled
document library configured such that users who download the document will not
be able to print it. You then log on as Stuart Railson, download the document
from the Office SharePoint Server 2007 site and verify that the ability to
print the document has been restricted.
Before you can consume rights-protected content, you must
add SPS-SRV to the Local Intranet security zone.
To add SPS-SRV to Local Intranet
security zone
1. Log on to ADRMS-CLNT as Nicole Holliday
(CPANDL\nhollida).
2. Click Start, click All Programs, and then click Internet Explorer.
3. Click Tools, and then
click Internet Options.
4. Click the Security
tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to
the zone, type http://sps-srv,
and then click Add.
7. Click close.
8. Repeat steps 1–7 for Stuart Railson
(CPANDL\srailson).
|
Next, log on a Nicole Holliday and create a Microsoft
Word 2007 document and upload it to the Office SharePoint Server 2007
site.
To create and upload a Microsoft
Word document for testing
1. Click Start, point to
All Programs, point to Microsoft Office,
and then click Microsoft Office Word 2007.
2. Type This
document is read-only. You cannot print it. in the new document, click
the Microsoft Office Button, click Save
As, and then save the file as ADRMS-TST.docx to a location on
ADRMS-CLNT. This document will be uploaded to the Office SharePoint Server
2007 document library.
Note
Since Nicole Holliday is the author of this
document, she will have full rights to the document, regardless of the
AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to
All Programs, and then click Internet
Explorer.
5. Type http://SPS-SRV/ in the address bar, and then click Go.
6. Click Document Center,
and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate
and select ADRMS-TST, and then click Open.
8. Click OK to upload
the file, and then click Check In.
By uploading the document into this library, the
document receives the restrictions set on the library.
9. Log off as Nicole Holliday.
|
Finally, log on as Stuart Railson and open the document from
the Office SharePoint Server 2007 site.
To open a protected document
1. Log on to ADRMS-CLNT as Stuart Railson
(CPANDL\srailson).
2. Click Start, click All Programs, and then click Internet Explorer.
3. Type http://SPS-SRV/
in the address bar, and then click Go.
4. Click Document Center,
and then click Documents.
5. Click ADRMS-TST, and then click OK to open the document as Read Only.
6. The following message will appear: "Permission to this document is currently restricted. Microsoft
Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify
your credentials and download your permission."
7. Click OK.
8. The following message will appear: "Verifying your credentials for opening content with restricted
permissions".
9. Click OK in the full
screen reading view message, and then click Close to
close the full screen reading view.
10. Click the Microsoft Office button. The Print command is disabled.
|
You have successfully deployed, integrated, and demonstrated
the functionality of AD RMS and Office SharePoint Server 2007, using the
simple scenario of uploading a Microsoft Office Word 2007 document to an
Office SharePoint Server 2007 site. You can also use this deployment to explore
some of the additional capabilities of AD RMS through additional
configuration and testing.
· Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint Server 2007
· About this Appendix
This appendix walks you through the process of configuring
Active Directory Federation Services (AD FS) and Microsoft Office
SharePoint Server 2007 together in a test environment to consume content that
is rights-protected by Active Directory Rights Management Services
(AD RMS). Specifically, this guide shows you how to consume
rights-protected content from an Office SharePoint Server 2007 document library
through a federated trust.
This guide assumes that you previously completed the
following step-by-step guides:
· Windows
Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=54964)
· Using
Identity Federation with Active Directory Rights Management Services
Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72135)
· The
first three steps of Deploying Active Directory Rights Management Services with
Microsoft Office SharePoint Server 2007 Step-By-Step Guide
In this appendix, you will configure the test environment
configured in the step-by-step guides referenced above to include federated
support for Office SharePoint Server 2007.
· Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment
We recommend that you first use the steps provided in this
appendix in a test lab environment. Step-by-step guides are not necessarily
meant to be used to deploy Windows Server features without additional
deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this appendix, you will have a working
AD RMS and Office SharePoint Server 2007 infrastructure with federation
support. You can then test and verify the functionality as follows:
· Create
a document in the CPANDL.COM domain.
· Upload
the document to a rights-protected document library.
· Have
an authorized user in the TREYRESEARCH.NET domain open and work with the
document.
The test environment described in this guide include nine computers
connected to a private network and using the following operating systems,
applications, and services:
Computer Name
|
Operating System
|
Applications and Services
|
CPANDL-DC
TREY-DC
|
Windows Server 2003 with Service Pack 1 (SP1)
Note
Domain controllers running Windows 2000 Server with
Service Pack 4 can be used. However, in this step-by-step guide it is
assumed that you will be using domain controllers running Windows
Server 2003 with SP1.
|
Active Directory, Domain Name System (DNS)
|
ADRMS-SRV
|
Windows Server® 2008
|
AD RMS, Internet Information Services (IIS) 7.0,
Message Queuing, and World Wide Web Publishing Service
|
ADRMS-DB
|
Windows Server 2003 with SP1
|
Microsoft SQL Server™ 2005 Standard Edition
|
SPS-SRV
|
Windows Server 2003 R2 with
Server Pack 2 (SP2).
Important
Windows Server 2003 R2 with SP2 is required for
federation support to work with Office SharePoint Server 2007.
|
AD FS claims-aware agent, Office SharePoint Server
2007
|
ADRMS-CLNT
ADRMS-CLNT2
|
Windows Vista®
|
Microsoft Office Word 2007 Enterprise Edition
|
ADFS-RESOURCE
ADFS-ACCOUNT
|
Windows Server® 2008 Enterprise
|
AD FS, IIS
|
The computers form two private intranets and are connected
through a common hub or Layer 2 switch. This configuration can be emulated
in a virtual server environment, if desired. This appendix exercise uses
private addresses throughout the test lab configuration. The private network ID
10.0.0.0/24 is used for the intranet. The domain controller for the domain
named cpandl.com is CPANDL-DC and the domain controller for the domain name
treyresearch.net is TREY-DC. The following figure shows the configuration of
the test environment:
· Step 1: Setting up the infrastructure
The following steps should be taken to prepare the existing
test infrastructure for configuring AD FS with Office SharePoint Server
2007:
· Install
the claims-aware applications Windows component on SPS-SRV.
· Add
a DNS host name record to the CPANDL.COM domain so that federated users can
access the Office SharePoint Server 2007 Web site.
· Add
the external SharePoint Web site as a claims-aware application on
ADFS-RESOURCE.
Note
Windows Server 2003 with SP2 is required for AD FS
and Office SharePoint Server 2007 to work together. To download Windows
Server 2003 with SP2, see http://go.microsoft.com/fwlink/?LinkId=98598.
First, add the claims-aware application Windows component.
This component is required for AD FS and interfaces with the AD FS
federation servers to submit claims.
To add the claims-aware
applications Windows component
1. Log on to SPS-SRV as cpandl\administrator
or another user account in the local Administrators group.
2. Click Start, point to
Control Panel, click Add or Remove
Programs, and then click Add/Remove Windows Components.
3. Click Active Directory
Services, and then click Details.
4. Click Active Directory
Federation Services (ADFS), and then click Details.
5. Click ADFS Web Agents,
and then click Details.
6. Select the Claims-aware
applications check box, and then click OK three
times.
7. Click Next.
Note
You will be asked for the Windows
Server 2003 R2 product CD in order to complete the installation of
the claims-aware applications Windows component.
8. Click Finish to
complete the installation.
|
Next, add a DNS host name record is required in the
CPANDL.COM domain so that federated users in the TREYRESEARCH.NET domain can
access the Office SharePoint Server 2007 Web site.
To create a DNS host name record
for the external Office SharePoint Server 2007 Web site
1. Log on to CPANDL-DC as cpandl\administrator
or another user account in the local Administrators group.
2. Click Start, point to
Administrative Tools, and then click DNS.
3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).
4. In the Name box, type
external-sps.
5. In the IP Address
box, type 10.0.0.6, and then
click Add Host.
6. Click OK, confirming
that the host record was successfully created.
7. Click Done.
|
Finally, add the external SharePoint Web site as a
claims-aware Windows application on ADFS-RESOURCE: This should be done before a
user is added to doc library.
To add the external SharePoint Web
site as a claims-aware Windows application on ADFS-RESOURCE
1. Log on to ADFS-RESOURCE as cpandl\adfsadmin
or another user account in the local Administrators group.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Federation Services.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. Expand Federation Services,
expand Trust Policy, and then expand My
Organization.
5. Right-click Applications,
point to New, and then click Application.
6. On the Welcome to the Add
Application Wizard, click Next.
7. Select the Claims-aware application
option, and then click Next.
8. In the Application display
name box, type External
SharePoint Web site.
9. In the Application URL
box, type https://external-sps.cpandl.com,
and then click Next.
10. Select the E-mail
check box, and then click Next.
11. Select the Enable this
application check box, and then click Next.
12. Click Finish.
|
· Step 2: Configuring Office SharePoint 2007 to work with AD FS
To configure Office SharePoint Server 2007 to work with
AD FS, several steps must be completed:
· Add
a claims-aware Windows application for the external Web site.
· Extend
the internal Office SharePoint Server 2007 Web site.
· Add
a Secure Sockets Layer (SSL) certificate to the external Web site.
· Configure
the authentication provider on the external Web site.
· Edit
the web.config file on the internal Web site.
· Add
Terrence Philip to the default document library.
· Edit
the web.config file on the external Web site.
First, extend the existing internal Web site, created
earlier in this guide, and add it to the
Extranet zone.
To extend the internal Office
SharePoint 2007 Web site and add it to the Extranet zone on SPS-SRV.
1. Log on to SPS-SRV as cpandl\administrator
or another user account in the local Administrators group.
2. Click Start, point to
Administrative Tools, and then click SharePoint
3.0 Central Administration.
3. Click Application Management,
click Create or Extend Web application, and then click Extend an existing Web application.
4. Select the Create a new Web
site option, and then type External
Users Web site in the Description box.
5. In the Web Application
box, click Change Web Application, and then click http://sps-srv.
6. In the Port box, type
443.
7. In the Host header
box, type external-sps.cpandl.com.
8. In the Secure Sockets Layer
(SSL) box, select the Yes option.
9. In the URL box, type https://external-sps.cpandl.com.
10. In the Zone box, click
Extranet.
11. Click OK.
|
Before proceeding with this appendix, verify that the
internal Web site was correctly extended. To do this, open the Alternate Access
Mappings and ensure that external-sps.cpandl.com is available.
To verify that the external Web
site is available
1. In the Central Administration 3.0 site,
click Operations.
2. Under the Global
Configuration heading, click Alternate access mappings.
3. Verify that the https://external-sps.cpandl.com
is shown and the Zone is configured for Extranet.
|
Next, add an SSL certificate to the external-sps.cpandl.com
Web site by using IIS. AD FS requires an SSL connection for all
claims-aware Windows applications.
To add an SSL certificate to the
external Office SharePoint 2007 Web site
1. Click Start, point to
Administrative Tools, and then click Internet
Information Services (IIS) Manager.
2. Expand Web Sites,
right-click External Users Web site, and then click Properties.
3. Click Directory Security,
and then click Server Certificate.
4. On the Welcome to the Web
Server Certificate Wizard page, click Next.
5. Choose whether to import from an existing
certificate file or request a new certificate.
6. After the certificate is imported, close
the External Users Web site properties sheet.
|
Next, configure the authentication provider on the external
Web site to use Web Single Sign On (SSO).
To configure the authentication
provider of the Extranet Web application to use Web SSO
1. Click Start, point to
Administrative Tools, and then click SharePoint
3.0 Central Administration, and then click Application
Management.
2. Under the Application
Security heading, click Authentication providers.
3. In the Web application
box, click Change Web Application, and then click SharePoint - 80.
4. Click Extranet.
5. For Authentication Type,
select the Web single sign on option.
6. In the Membership provider
name box, type SingleSignOnMembershipProvider2.
7. In the Role manager
name box, type SingleSignOnRoleProvider2.
8. For Enable client
integration, select the No option, and then
click Save.
|
Next, configure the internal Web application to accept
claims from the external Web site by editing the web.config file for the
internal Web site:
To configure the internal Web site
to accept claims from the external Web site
1. Navigate to
C:\inetpub\wwwroot\wss\VirtualDirectories\80.
2. Right-click web.config,
and then click Open.
3. Select the Select the
program from a list option, click Notepad, clear
the Always use the selected program to open this kind of file
check box, and then click OK.
4. Add the following text under the line that
reads <authentication mode ="Windows" />:
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx"
/>
</providers>
</membership>
<roleManager
enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove
name="AspNetSqlRoleProvider" /> <add
name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx"
/>
</providers>
</roleManager>
5. Click File, and then
click Save.
6. Close Notepad.
7. At a command prompt, type IISRESET, and then press ENTER.
|
Next, add Terrence Philip (TREYRESEARCH\tphilip) to the
default document library.
To add Terrence Philip to the
default document library
1. Click Start, point to
All Programs, and then click Internet
Explorer.
2. Type http://SPS-SRV
in the address bar, and then click Go. This will open
the default Office SharePoint Server 2007 site that was created during
installation.
3. Click Site Actions,
point to Site Settings, and then click People
and Groups.
4. Click New, and then
click Add Users.
5. In the Users/Groups
box, type tphilip@treyresearch.net,
and then click OK.
|
Important
If the internal SharePoint Web site is not able to resolve
Terence Philip using the procedure above, you should ensure all of the previous
steps were completed correctly before continuing through the rest of this
appendix.
Next, edit the web.config file on the external Web site.
There are several entries that must be made to put each individual entry into
its own procedure.
To add a new entry in the
<configSections> node
1. Navigate to
C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443.
2. Right-click web.config,
and then click Open.
3. Select the Select the
program from a list option, click Notepad, and
then clear the Always use the selected program to open this
kind of file check box.
4. Add the following text in the
<configSections> node:
<sectionGroup
name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
5. Click File, and then
click Save.
|
Add a new entry in the <httpModules> node:
To add a new entry in the
<httpModules> node
1. In the same file as the previous procedure,
add the following line as the last entry in the <httpModules> node:
<add name="Identity
Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
2. Click File, and then
click Save.
|
Add a new entry to the <system.web> node:
To add a new entry in the
<system.web> node
1. In the same file as the previous procedure,
add the following under the line that read <authentication
mode="None"/>:
<membership
defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add
name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
<roleManager
enabled="true"
defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add
name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://external-sps.cpandl.com</returnurl>
</urls>
<fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
2. Click File, and then
click Save.
3. Close Notepad.
4. From a command prompt, type IISRESET, and
then press ENTER.
|
· Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS.
To verify the functionality of AD RMS using AD FS
and Office SharePoint Server 2007, you log on to ADRMS-CLNT as Nicole Holliday,
create a new Microsoft Word 2007 document, and upload it to the Office SharePoint
Server 2007 site into a rights-enabled document library configured such that
users who download the document will be able to read it but will not be able to
print it. You then log on to ADRMS-CLNT2 as Terrence Philip, download the
document from the Office SharePoint Server 2007 site and verify that the
ability to print the document has been restricted.
Before you can consume rights-protected content, you must
add the external Web application (external-sps.cpandl.com) to the Local
Intranet security zone on ADRMS-CLNT2.
To add external-sps.cpandl.com to
Local Intranet security zone
1. Log on to ADRMS-CLNT2 as Terrence Philip
(TREYRESEARCH\tphilip).
2. Click Start, click All Programs, and then click Internet Explorer.
3. Click Tools, and then
click Internet Options.
4. Click the Security
tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to
the zone, type https://external-sps.cpandl.com,
and then click Add.
7. Click close.
|
Next, log on to ADRMS-CLNT as Nicole Holliday and create a
Microsoft Word 2007 document and upload it to the Office SharePoint Server
2007 site.
To create and upload a Microsoft
Word document for testing
1. Click Start, point to
All Programs, point to Microsoft Office,
and then click Microsoft Office Word 2007.
2. Type This
document is read-only. You cannot print it. in the new document, click
the Microsoft Office Button, click Save
As, and then save the file as ADRMS-TST.docx to a location on
ADRMS-CLNT. This document will be uploaded to the Office SharePoint Server
2007 document library.
Note
Since Nicole Holliday is the author of this
document, she will have full rights to the document, regardless of the
AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to
All Programs, and then click Internet
Explorer.
5. Type http://SPS-SRV/ in the address bar, and then click Go.
6. Click Document Center,
and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate
and select ADRMS-TST, and then click Open.
8. Click OK to upload
the file, and then click Check In.
By uploading the document into this library, the
document receives the restrictions set on the library.
9. Log off as Nicole Holliday.
|
Finally, log on to ADRMS-CLNT2 as Terrence Philip and open
the document from the external Office SharePoint Server 2007 site.
To open a protected document
1. Log on to ADRMS-CLNT2 as Terrence Philip
(TREYRESEARCH\tphilip).
2. Click Start, click All Programs, and then click Internet Explorer.
3. Type https://external-sps.cpandl.com/
in the address bar, and then click Go.
4. Click Document Center,
and then click Documents.
5. Click ADRMS-TST, and then click OK to open the document as Read Only.
6. The following message will appear: "Permission to this document is currently restricted. Microsoft
Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify
your credentials and download your permission."
7. Click OK.
8. The following message will appear: "Verifying your credentials for opening content with restricted
permissions".
9. Click OK in the full
screen reading view message, and then click Close to
close the full screen reading view.
10. Click the Microsoft Office button. The Print command is disabled.
|
You have successfully deployed, integrated, and demonstrated
the functionality of AD RMS, AD FS, and Office SharePoint Server
2007, using the simple scenario of uploading a Microsoft Office Word 2007
document to an Office SharePoint Server 2007 site. You can also use this
deployment to explore some of the additional capabilities of AD RMS
through additional configuration and testing.
No comments:
Post a Comment