Beruflich Dokumente
Kultur Dokumente
Abstract
This step-by-step guide provides instructions for deploying Microsoft Office SharePoint Server
2007 in an Active Directory Rights Management Services (AD RMS) environment. It includes the
necessary information for installing and configuring Office SharePoint Server 2007 in the newly
created AD RMS infrastructure, and verifying that Office SharePoint Server 2007 documents can
be rights-protected and consumed. In the appendix of this guide, you can also configure Office
SharePoint Server 2007 to work with Active Directory Federation Services (ADFS) and AD RMS.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the example
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, MS-DOS, SharePoint, Vista, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server
2007 Step-By-Step Guide ........................................................................................................ 5
About this Guide ...................................................................................................................... 5
What This Guide Does Not Provide ....................................................................................... 6
Deploying AD RMS in a Test Environment ............................................................................... 6
Step 1: Installing and Configuring SPS-SRV ................................................................................ 7
Configure the Office SharePoint Server (SPS-SRV) .............................................................. 8
Install Office SharePoint Server 2007.................................................................................. 10
Step 2: Configuring AD RMS to Work with SPS-SRV ................................................................. 11
Step 3: Verifying AD RMS Functionality using ADRMS-CLNT .................................................... 13
Appendix A: Configuring Active Directory Federation Services to work with Office SharePoint
Server 2007 ........................................................................................................................... 15
About this Appendix ............................................................................................................... 15
Configuring AD FS to work with Office SharePoint Server 2007 in a Test Environment ........... 16
Step 1: Setting up the infrastructure ....................................................................................... 18
Step 2: Configuring Office SharePoint 2007 to work with AD FS ............................................. 20
Step 3: Verifying AD RMS functionality with Office SharePoint Server 2007 and AD FS. ......... 25
An AD RMS server
An AD RMS-enabled client
In this guide, you will create a test deployment that includes an Office SharePoint Server 2007
server.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting
them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate
network. The goal of integrating an Office SharePoint Server 2007 deployment with an AD RMS
infrastructure is to be able to protect documents that are downloaded from the Office SharePoint
Server 2007 server by users of any given organization.
Note
Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents
while they are on the server. When a document is uploaded to an Office SharePoint
Server 2007 site, the server removes all protection until a download request is received
by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server
2007 server applies the appropriate restrictions to the document before it is downloaded
to the client computer.
An overview of AD RMS. For more information about the advantages that AD RMS can bring
to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
Guidance for integrating Office SharePoint Server 2007 with AD RMS in a production
environment.
Complete information about Office SharePoint Server 2007. For more information, see
http://go.microsoft.com/fwlink/?LinkId=74460.
Upload this document to the Office SharePoint Server 2007 document library.
Have an authorized user in the CPANDL domain open and work with the document.
The test environment described in this guide includes five computers connected to a private
network and using a clean installation of the following operating systems, applications, and
services:
Computer Name
Operating System
CPANDL-DC
ADRMS-SRV
ADRMS-DB
SPS-SRV
Computer Name
Operating System
Windows Vista
Note
Before installing and configuring the components in this guide, you should verify that your
hardware meets the minimum requirements for AD RMS
(http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This stepby-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for
the domain named cpandl.com. The following figure shows the configuration of the test
environment:
Use the following table as a reference when setting up the appropriate computer name, operating
system, and network settings that are required to complete the steps in this guide.
7
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
Computer name
IP settings
DNS settings
SPS-SRV
IP address:
10.0.0.1
10.0.0.6
Important
Subnet mask:
255.255.255.0
Note
If you are using a self-signed certificate for your AD RMS cluster, you must import it into
the Trusted Certification Authorities certificate store on SPS-SRV before you can
consume rights-protected content.
Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer zone.
Add three user accounts, CPANDL\Administrator, Nicole Holliday, and Stuart Railson, to the
SharePoint site.
Add the Office SharePoint Server 2007 server to the AD RMS server certification pipeline.
First, add the Office SharePoint Server 2007 site to the Internet Explorer Local Intranet zone on
the Office SharePoint Server 2007 computer.
To add SPS-SRV to Local Intranet
1. Log on to SPS-SRV as cpandl\administrator.
2. Click Start, point to Control Panel, and then click Internet Options.
3. Click the Security tab, click Local Intranet, and then click the Sites button.
4. Type http://SPS-SRV, and then click Add.
5. Click Close, and then click OK.
Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office
SharePoint Server 2007 integration with AD RMS can be verified later in this guide:
11
Administration.
3. Click Operations, and then click Information Rights Management.
4. Select the Use the default RMS server specified in Active Directory option, and then
click OK.
Create an Office SharePoint Server 2007 permission policy on the default document library. This
permission policy will be used to restrict the ability to print any documents that are uploaded to
the document library:
To restrict permissions using AD RMS
1. Log on as cpandl\Administrator.
2. Click Start, point to All Programs, and then click Internet Explorer.
3. Type http://SPS-SRV in the address bar, and then click Go.
4. Click Document Center, click Documents, click Settings, and then click Document
Library Settings.
5. Under the Permissions and Management heading, click Information Rights
Management.
6. Select the Restrict permission to documents in this library on download check box.
7. Type CPANDL Protected in the Permissions policy title box.
8. Type Restrict CPANDL employees from printing in the Permission policy
description box.
9. Click OK.
Note
Office SharePoint Server 2007 will automatically apply AD RMS rights to the document
when it is downloaded from the Office SharePoint Server 2007 site. These rights are
determined by the Office SharePoint Server 2007 group membership for that site. For
example, a user who is in the Visitors Office SharePoint Server 2007 group will not be
able to modify the document when it is downloaded from the Office SharePoint Server
2007 site.
Before you can consume rights-protected content, you must add SPS-SRV to the Local Intranet
security zone.
To add SPS-SRV to Local Intranet security zone
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, click All Programs, and then click Internet Explorer.
3. Click Tools, and then click Internet Options.
4. Click the Security tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to the zone, type http://sps-srv, and then click Add.
7. Click close.
8. Repeat steps 17 for Stuart Railson (CPANDL\srailson).
Next, log on a Nicole Holliday and create a Microsoft Word 2007 document and upload it to the
Office SharePoint Server 2007 site.
To create and upload a Microsoft Word document for testing
1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft
Office Word 2007.
2. Type This document is read-only. You cannot print it. in the new document, click the
Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to
a location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint
Server 2007 document library.
Note
Since Nicole Holliday is the author of this document, she will have full rights to
the document, regardless of the AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to All Programs, and then click Internet Explorer.
5. Type http://SPS-SRV/ in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST,
and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on
the library.
9. Log off as Nicole Holliday.
Finally, log on as Stuart Railson and open the document from the Office SharePoint Server 2007
site.
14
15
Using Identity Federation with Active Directory Rights Management Services Step-by-Step
Guide (http://go.microsoft.com/fwlink/?LinkId=72135)
The first three steps of Deploying Active Directory Rights Management Services with
Microsoft Office SharePoint Server 2007 Step-By-Step Guide
In this appendix, you will configure the test environment configured in the step-by-step guides
referenced above to include federated support for Office SharePoint Server 2007.
Have an authorized user in the TREYRESEARCH.NET domain open and work with the
document.
The test environment described in this guide include nine computers connected to a private
network and using the following operating systems, applications, and services:
Computer Name
Operating System
CPANDL-DC
TREY-DC
Note
Domain controllers
running Windows 2000
Server with Service
Pack 4 can be used.
However, in this step-bystep guide it is assumed
that you will be using
domain controllers running
Windows Server 2003 with
SP1.
ADRMS-SRV
Computer Name
Operating System
SPS-SRV
AD FS claims-aware agent,
Office SharePoint Server
2007
Important
Windows Server 2003 R2
with SP2 is required for
federation support to work
with Office SharePoint
Server 2007.
ADRMS-CLNT
ADRMS-CLNT2
ADFS-RESOURCE
Windows Vista
ADFS-ACCOUNT
The computers form two private intranets and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment, if desired. This
appendix exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named
cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is
TREY-DC. The following figure shows the configuration of the test environment:
17
Add a DNS host name record to the CPANDL.COM domain so that federated users can
access the Office SharePoint Server 2007 Web site.
18
Note
Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007
to work together. To download Windows Server 2003 with SP2, see
http://go.microsoft.com/fwlink/?LinkId=98598.
First, add the claims-aware application Windows component. This component is required for
AD FS and interfaces with the AD FS federation servers to submit claims.
To add the claims-aware applications Windows component
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local
Administrators group.
2. Click Start, point to Control Panel, click Add or Remove Programs, and then click
Add/Remove Windows Components.
3. Click Active Directory Services, and then click Details.
4. Click Active Directory Federation Services (ADFS), and then click Details.
5. Click ADFS Web Agents, and then click Details.
6. Select the Claims-aware applications check box, and then click OK three times.
7. Click Next.
Note
You will be asked for the Windows Server 2003 R2 product CD in order to
complete the installation of the claims-aware applications Windows component.
8. Click Finish to complete the installation.
Next, add a DNS host name record is required in the CPANDL.COM domain so that federated
users in the TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web
site.
To create a DNS host name record for the external Office SharePoint Server 2007 Web
site
1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local
Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).
4. In the Name box, type external-sps.
5. In the IP Address box, type 10.0.0.6, and then click Add Host.
6. Click OK, confirming that the host record was successfully created.
7. Click Done.
Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFSRESOURCE: This should be done before a user is added to doc library.
19
Add a Secure Sockets Layer (SSL) certificate to the external Web site.
First, extend the existing internal Web site, created earlier in this guide, and add it to the Extranet
zone.
To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone
on SPS-SRV.
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local
Administrators group.
20
2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central
Administration.
3. Click Application Management, click Create or Extend Web application, and then
click Extend an existing Web application.
4. Select the Create a new Web site option, and then type External Users Web site in the
Description box.
5. In the Web Application box, click Change Web Application, and then click http://spssrv.
6. In the Port box, type 443.
7. In the Host header box, type external-sps.cpandl.com.
8. In the Secure Sockets Layer (SSL) box, select the Yes option.
9. In the URL box, type https://external-sps.cpandl.com.
10. In the Zone box, click Extranet.
11. Click OK.
Before proceeding with this appendix, verify that the internal Web site was correctly extended. To
do this, open the Alternate Access Mappings and ensure that external-sps.cpandl.com is
available.
To verify that the external Web site is available
1. In the Central Administration 3.0 site, click Operations.
2. Under the Global Configuration heading, click Alternate access mappings.
3. Verify that the https://external-sps.cpandl.com is shown and the Zone is configured for
Extranet.
Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS
requires an SSL connection for all claims-aware Windows applications.
To add an SSL certificate to the external Office SharePoint 2007 Web site
1. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
2. Expand Web Sites, right-click External Users Web site, and then click Properties.
3. Click Directory Security, and then click Server Certificate.
4. On the Welcome to the Web Server Certificate Wizard page, click Next.
5. Choose whether to import from an existing certificate file or request a new certificate.
6. After the certificate is imported, close the External Users Web site properties sheet.
Next, configure the authentication provider on the external Web site to use Web Single Sign On
(SSO).
21
To configure the authentication provider of the Extranet Web application to use Web
SSO
1. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central
Administration, and then click Application Management.
2. Under the Application Security heading, click Authentication providers.
3. In the Web application box, click Change Web Application, and then click SharePoint
- 80.
4. Click Extranet.
5. For Authentication Type, select the Web single sign on option.
6. In the Membership provider name box, type SingleSignOnMembershipProvider2.
7. In the Role manager name box, type SingleSignOnRoleProvider2.
8. For Enable client integration, select the No option, and then click Save.
Next, configure the internal Web application to accept claims from the external Web site by
editing the web.config file for the internal Web site:
To configure the internal Web site to accept claims from the external Web site
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, clear the Always use
the selected program to open this kind of file check box, and then click OK.
4. Add the following text under the line that reads <authentication mode ="Windows" />:
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" fs="https://adfsresource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
22
</providers>
</roleManager>
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</providers>
24
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://external-sps.cpandl.com</returnurl>
</urls>
<fs>https://adfs-resource.cpandl.com/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
5. Click Advanced.
6. In the Add this website to the zone, type https://external-sps.cpandl.com, and then
click Add.
7. Click close.
Next, log on to ADRMS-CLNT as Nicole Holliday and create a Microsoft Word 2007 document
and upload it to the Office SharePoint Server 2007 site.
To create and upload a Microsoft Word document for testing
1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft
Office Word 2007.
2. Type This document is read-only. You cannot print it. in the new document, click the
Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.docx to
a location on ADRMS-CLNT. This document will be uploaded to the Office SharePoint
Server 2007 document library.
Note
Since Nicole Holliday is the author of this document, she will have full rights to
the document, regardless of the AD RMS rights that are applied to it.
3. Close Microsoft Office Word 2007.
4. Click Start, point to All Programs, and then click Internet Explorer.
5. Type http://SPS-SRV/ in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST,
and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on
the library.
9. Log off as Nicole Holliday.
Finally, log on to ADRMS-CLNT2 as Terrence Philip and open the document from the external
Office SharePoint Server 2007 site.
To open a protected document
1. Log on to ADRMS-CLNT2 as Terrence Philip (TREYRESEARCH\tphilip).
2. Click Start, click All Programs, and then click Internet Explorer.
3. Type https://external-sps.cpandl.com/ in the address bar, and then click Go.
4. Click Document Center, and then click Documents.
5. Click ADRMS-TST, and then click OK to open the document as Read Only.
6. The following message will appear: "Permission to this document is currently
restricted. Microsoft Office must connect to https://adrms26
27