Federated Document Collaboration Using

Microsoft Office SharePoint Server 2007 and

AD FS 2.0
Microsoft Corporation
Published: May 2010
Author: Tariq Sharif, Brad Mahugh
Editor: Jim Becker
Technical reviewers: Stuart Kwan, James Wong

Abstract
This guide provides instructions for using Active Directory Federation Services (AD FS) 2.0 in a
small test lab environment. The purpose is to demonstrate how two fictitious companies can
collaborate on documents using a federated trust that provides claims-based access using
AD FS 2.0. The instructions in this guide should take approximately 90 minutes to complete.
This document is provided "as-is". Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
You may modify this document for your internal, reference purposes.
© 2010 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,
Windows Server, and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. All other trademarks are
property of their respective owners.
Contents
Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS
2.0 ................................................................................................................................................ 4
About this guide............................................................................................................................ 4

Scenario Overview........................................................................................................................... 5
About the fictional companies ................................................................................................... 5
About the lab configuration ....................................................................................................... 5
About the fictional employees ................................................................................................... 6
About the scenario .................................................................................................................... 7

Preinstallation Tasks ..................................................................................................................... 11

Download and extract VMs ........................................................................................................ 11
Create a new virtual network .................................................................................................. 12
Import and start virtual machines ............................................................................................ 12

Step 1: Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso
federation server ........................................................................................................................ 14

Step 2: Add the Domain Admins group as Administrator for the SharePoint site ......................... 15

Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site ............. 20

Step 4: Add new roles to the SharePoint site ................................................................................ 24

Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation
server ......................................................................................................................................... 33

Step 6: Configure Fabrikam to federate and issue tokens to Contoso .......................................... 41

Step 7: Access the SharePoint site ............................................................................................... 48

Step 8: Configure the Contoso federation server to get values from a SQL data store ................ 50

Step 9: Configure AD RMS for digitally protecting documents ...................................................... 61

Install the AD FS Web Agent .................................................................................................. 61
Install AD RMS Role Services ................................................................................................ 64

Step 10: Configure a SharePoint document library for stronger authentication ............................ 90

Step 11: Configure AD FS 2.0 on ContosoSrv01 to deny tokens to users.................................... 93

Federated Document Collaboration Using
Microsoft Office SharePoint Server 2007 and
AD FS 2.0
This guide walks you through setup of a small test lab environment that you can use to evaluate
the next generation of Microsoft® federated identity technologies. This guide is intended for
information technology (IT) professionals and system architects who want to implement secure
collaboration between organizations using Microsoft Office SharePoint® Server 2007 and
Active Directory® Federation Services (AD FS) 2.0. This guide provides a quick demonstration of
the features, functionality, and interoperability capabilities of AD FS 2.0 and Windows® Identity
Foundation (WIF). The instructions in this guide should take approximately 90 minutes or less to
complete.

About this guide

This guide provides instructions for setting up federated identity technologies in a small test lab
with virtual servers and a Hyper-V™-enabled host server computer running the Windows
Server® 2008 R2 operating system. The purpose of this guide is to describe a solution that uses
the federated identity capabilities of Windows-based federated identity technologies to meet the
demands of a fictional business-to-business (B2B) scenario with the following requirements:
Two companies have a business partner relationship. One of the companies, Contoso
Pharmaceuticals, wants to give access to a SharePoint site that it hosts to some of the
employees of the other company, Fabrikam. Traditionally, this might have required administrators
at Contoso to create new Active Directory user accounts to provide the required access for the
Fabrikam partner employees. Another potential consequence of the SharePoint-based
collaboration is that the SharePoint site itself requires configuration so that participating users of
both companies can have the appropriate level of site access.
To maximize your chances of completing the objectives of this guide successfully, it is important
that you do all of the following:
 Complete the steps in this guide in the order in which they are presented.
 Use the exact computer, user, group, company, claim, and domain names that this guide
specifies.

Important
Any modifications that you make to the configuration details in this guide may affect or
limit your chances of setting up this lab successfully the first time.
Microsoft has tested this guide successfully using Windows Server 2008 Hyper-V virtualization
technology.
The instructions in this guide should take approximately 90 minutes or less to complete. Your
time to complete the steps in this guide may vary, depending on whether you have to set up a
computer that is suitable for hosting the virtual lab environment.

Scenario Overview
This section includes background information about the fictional companies in this document. It
also identifies their business goals and briefly describes the technologies that are used to achieve
these goals.

About the fictional companies

The following fictional companies and their business needs are used in this guide:
 Contoso Pharmaceuticals: An international pharmaceutical supply company that
specializes in manufacturing prescription drugs for its health management organization
(HMOs) customers inside and outside the United States. In a strategic effort to meet the
drug-ordering demands of its customers, the IT department at Contoso has been given the
task of developing and deploying a secure, Internet-accessible, SharePoint application that
must also provide multiple levels of access for various internal users (Contoso employees)
and external partner users at Fabrikam. To minimize the costs that are associated with
maintaining the SharePoint application, the IT department must also make sure that the
application does not have to use and maintain an additional account store so that internal and
external users can access the application.
 Fabrikam: A manufacturer of cost-efficient, wholesale pharmaceutical and chemical
manufacturing supplies that is known worldwide for providing low-price supplies to drug
manufacturers. Although sales have been accelerating consistently year after year for this
company, there is a noticeable increase in errors in the inventory that has caused returns,
reshipments, or adjustments to their key business partners such as Contoso. So that
Fabrikam can maintain its strong partnership and achieve its goals for a high level of service
with Contoso, Fabrikam decides to partner closely with Contoso for the purpose of
completing an upcoming drug trial audit process for a new medication that Contoso currently
has under development. To accomplish this goal, some Fabrikam employees need varying
levels of access to the SharePoint site at Contoso.

About the lab configuration

To facilitate the partnership between the two companies and to enable managed, claims-based
access (CBA) to the SharePoint site, the following federation configuration is used.
About the fictional employees
The fictional employees in the following table are used throughout the scenario in this document.
You will log on to the test lab virtual machines to simulate the various federated identity and
claims-based access scenarios in this guide and test different levels of access to the SharePoint
application.
Employee Role Company

Daniel Weisman Drug Trial Administrator Contoso Pharmaceuticals

Frank Miller Drug Trial Process Auditor Fabrikam Suppliers

About the scenario

For this scenario, Microsoft Office SharePoint Server 2007 is the application of choice to facilitate
the business partnership between the two companies, Contoso Pharmaceuticals and Fabrikam
Suppliers. For SharePoint site access, Microsoft Office SharePoint Server 2007 requires roles
and or user’s user names so that it can grant access to its resources. In many enterprise
SharePoint deployments today, customers such as Contoso and Fabrikam use Active Directory
or Active Directory Domain Services (AD DS) to obtain the role and user information that is
necessary to manage and authorize access to the SharePoint Web site. In this scenario, we are
going to configure Microsoft Office SharePoint Server 2007 to obtain the role and user
information from AD FS 2.0 instead of from Active Directory data for authorization purposes.
Next, we will use AD FS 2.0 in the Contoso domain to control which roles are sent to Microsoft
Office SharePoint Server. We will also configure a second AD FS 2.0 instance in the Fabrikam
domain, to establish a federated trust relationship between the Fabrikam and Contoso domains.
After this trust is established across the domains, we will also configure AD FS 2.0 in the Contoso
domain to use an alternative external database as the source of the role information that it uses
for SharePoint authorization. For this part of the scenario demonstration, the database that we
use will be a Microsoft SQL Server® database.
The following tables briefly describe each step in this scenario, identify the user experience at
that step in the scenario, and provide a link to the location in this guide for the instructions for
completing that step. The entire guide includes eight steps.

Using AD FS 2.0 to provide role and user access to the SharePoint site
In steps 1 through 4, we configure Microsoft Office SharePoint Server 2007 to use AD FS 2.0
instead of Active Directory or AD DS for obtaining role and user information. In addition, we
configure AD FS 2.0 in the Contoso domain to issue role and user information to the SharePoint
site.

Steps Step title Description

Step 1 Set Microsoft Office For Contoso Pharmaceuticals, this

SharePoint Server 2007 to step demonstrates:
accept tokens from the  The IT pro experience for
Contoso federation server configuring Microsoft
Office SharePoint Server 2007 to
Steps Step title Description
use AD FS 2.0 as a centralized
authentication provider.

Step 2 Add the Domain Admins For Contoso Pharmaceuticals, this

group as Administrator for
the SharePoint site
step demonstrates:
 The IT pro experience of giving
access to the SharePoint site
based on the role information that
AD FS 2.0 provides.

Step 3 Configure the Contoso For Contoso Pharmaceuticals, this

federation server to issue
tokens to the SharePoint site
step demonstrates:
 The IT pro experience that is
necessary to add a new relying
party (the SharePoint site) to an
existing AD FS 2.0 deployment
and to issue tokens with specific
claims in it.

Step 4 Add new roles to the For Contoso Pharmaceuticals, this

SharePoint site step demonstrates:
 The IT pro experience of giving
access to a SharePoint site by
using claims that AD FS 2.0
issues.

Establishing a federated trust between two companies by using AD FS 2.0

In steps 5 through 7, we configure AD FS 2.0 to establish a federated trust relationship between
the two companies. We also configure AD FS 2.0 to determine which roles are sent to the
SharePoint server. After configuring these updates, we will then verify the authorization changes
for both administrators and visitors to the site.

Steps Step title Description

Step 5 Configure the Contoso For Contoso Pharmaceuticals,

federation server to accept
tokens from the Fabrikam
federation server
this step demonstrates:
 The IT pro experience of
configuring a federation
server at Contoso to
establish one side of the
Steps Step title Description
federated trust by enabling it
to accept tokens from a
partner federation server at
Fabrikam.

Step 6 Configure Fabrikam to For Fabrikam Suppliers, this step

federate and issue tokens to
Contoso
demonstrates:
 The IT pro experience of
configuring a federation
server at Fabrikam to
establish the other side of the
federated trust by enabling it
to issue tokens to a partner
server at Contoso.

Step 7 Access the SharePoint site This step demonstrates:

 The client-side experience
when a user tries to access a
federated resource from a
Web browser or a rich client
application, such as Microsoft
Office Word.

Using a SQL Server database as an alternative to using Active Directory or

AD DS as a data store
In the next step, step 8, we reconfigure AD FS 2.0 to use a Microsoft SQL Server database as an
alternate data store to the Active Directory data store that we used in the previous configurations.

Steps Step title Description

Step 8 Configure the Contoso For Contoso Pharmaceuticals,

federation server to get role
values from a Structured
Query Language (SQL) data
store
this scenario demonstrates:
 The IT pro experience for
providing claims-based
identity to users in which the
values of the claims come
from a SQL Server data store
instead of an Active Directory
database.
Protecting documents and libraries using Active Directory Rights
Management Services
In the next step, step 9, we reconfigure AD FS 2.0 and the SharePoint site to use Active Directory
Rights Management Services (AD RMS) for digital rights management of documents. In step 10,
we configure a second document library that requires stronger authentication type to access.

Steps Step title Description

Step 9 Configure AD RMS for digitally For Contoso Pharmaceuticals,

protecting documents
this scenario demonstrates:
 The IT pro experience for
configuring AD RMS to use
the ADFS Web agent and
AD FS 2.0 for federated
identity support.
For Fabrikam, this scenario
demonstrates:
 The client computer
modifications to enable the
federated support for
AD RMS and the end user
experience of opening and
browsing protected
documents.

Step 10 Configure a SharePoint For Contoso Pharmaceuticals,

document library that requires
stronger authentication
this scenario demonstrates:
 Creation of a new document
library.
 Modification of the
web.config file of the site so
that it requires a stronger set
of credentials to access the
library.

Step 11 Configure AD FS 2.0 to permit For Contoso Pharmaceuticals,

only specific users
this scenario demonstrates:
 Creation of rules in
AD FS 2.0 so that only users
in a specific rule get a token
for the SharePoint server
and others are denied.
Preinstallation Tasks
Before you install AD FS 2.0 to attempt this scenario, you must first set up four virtual machine
(VM) computers that you will use to evaluate AD FS 2.0 in your lab environment.

Note
The following sections assume that you are working with the hands-on lab VM images
that are provided for download on the Microsoft Web site. We recommend downloading
the images if your intent is to evaluate the scenario and AD FS 2.0 technology in the
shortest possible time frame. If you have more time and prefer to do so, you can build
your own VM lab images for each of the four computers. This requires considerably more
time to install and configure all the necessary software. For more information, see How to
Set Up the AD FS 2.0 VM Lab Environment
(http://go.microsoft.com/fwlink/?LinkId=179632).
Preinstallation tasks include the following:
 Download and extract VMs
 Create a new virtual network
 Import and start virtual machines
Administrative credentials
To perform all the tasks in this guide, log on to the virtual server computer—and to each of the
four VMs that you create on it—with the local Administrator account for each computer. Where
applicable, user passwords for accounts that are preconfigured as part of the VM images are
provided.

Download and extract VMs

Note
To utilize the downloadable VM images that are referenced in this guide, you should
import and then and run them using a host server computer running Microsoft Hyper-V™
under Windows Server® 2008 R2.
For the purposes of this step by step guide, if you did not create your own set of VMs, download
the following files from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=148506).
 ContosoSrv01.zip
 ContosoSrv02.zip
 FabrikamSrv01.zip
 FabrikamSrv02.zip
 WS2008R2Fullx64Ent.zip
When the download is complete, extract the contents of the .zip files to a folder where the VMs
will reside; for example, extract the folder, ContosoSrv01, which is located in the
ContosoSrv01.zip file to c:\VM\. Repeat the step for Contososrv02, FabrikamSrv01, and
FabrikamSrv02.

Note
For configuring the VMs using the images from the Microsoft Download Center, you will
need 100 GB of available disk space on the computer that you use to host the four VMs
that are referenced in this guide.
WS2008R2Fullx64Ent.zip file contains the base VHD that must be copied to the virtual hard disks
folder of each one of the VMs. For example, for ContosoSrv01, copy the extracted
WS2008R2Fullx64Ent.vhd from WS2008R2Fullx64Ent.zip to c:\VM\ContosoSrv01\Virtual Hard
Disks\ folder. Repeat the same step for ContosoSrv02, FabrikamSrv01, and FabrikamSrv02.

Create a new virtual network

All the VM images (for server computers as well as client computers) are preconfigured to use a
virtual private network (VPN) interface. The following procedure explains how to re-create this
network in Hyper-V to support the use of the VM images in your own test lab environment.

To create the virtual network for the AD FS 2.0 VM lab environment

1. On the host computer, open Hyper-V Manager.
To open Hyper-V Manager, on the Start menu, point to Administrative Tools, and then
click Hyper-V Manager.
2. In Hyper-V Manager, on the Action menu, click Virtual Network Manager.
3. In Virtual Network Manager, click Internal for the type of virtual network that you want to
create, and then click Add.
4. In New Virtual Network, for Name type Internal-Network, verify that for Type the
Internal only option is selected, and then click OK.
Note that the network name is case sensitive and should be entered exactly as provided
above. All four VMs will need to use this network, which will be a "local only" interface. All
four VM images should already be IP configured as described in the following section.

Import and start virtual machines

Note
The downloadable virtual machine (VM) images that are referred to in this guide that are
made available on the Microsoft Download Center can only be imported and run on a
host server computer that is running Microsoft Hyper-V on Windows Server 2008 R2.
The following table describes what is installed, along with the appropriate names and RAM
settings to use for best results when you import the four VMs with Hyper-V.

VM Name RAM Software installed IP configuration

CONTOSOSRV01 1.5 GB Operating system: 10.0.0.1/8

Windows (AD DS, DNS,
Server 2008 R2 AD CS)
Enterprise 10.0.0.20/8
Roles: AD DS, AD CS, (AD FS 2.0)
DNS, AD RMS 10.0.0.30/8 (AD RMS)

FABRIKAMSRV01 1.5 GB Operating system: 10.0.0.101/8

Windows (AD DS, DNS,
Server 2008 R2 AD CS)
Enterprise 10.0.0.120/8
Roles: AD DS, AD CS, (AD FS 2.0)
DNS

CONTOSOSRV02 1.5 GB Operating system: 10.0.0.2/8 (internal)

Windows 10.0.0.40/8 (external)
Server 2008 R2
Enterprise
Applications: Microsoft
Office SharePoint
Server 2007 SP1

FABRIKAMSRV02 1.5 GB Operating system: 10.0.0.110/8

Windows
Server 2008 R2
Enterprise
Applications: Microsoft
Office Professional
2007

To import the AD FS 2.0 lab VMs

1. In Hyper-V Manager, on the Action menu, click Import Virtual Machine.
2. In the Import Virtual Machine dialog box, click Browse.
3. In the Select Folder dialog box, browse and locate the named folder for the VM that you
want to import.
For example, to import the CONTOSOSRV01 VM, navigate to c:\VM and select
 ContosoSrv01 folder and click Select Folder.
4. For the Settings, keep Move or restore the virtual machine setting selected.
5. Click Import to begin importing the VM.

Repeat steps 1 through 4 for all named VMs in the previous table. We recommend that you not
start all four VMs at the same time. Instead, it’s preferable for performance reasons to start each
VM by itself. When the VM is turned on and running, start another VM. Also, the order in which
you start VMs by using Hyper-V Manager is important. For best results, start the four VMs one at
a time in the following order: CONTOSOSVR01, FABRIKAMSRV01, CONTOSOSRV02,
FABRIKAMSRV02.
If, after turning the VM on and logging in, you are prompted to restart the VM, choose to restart.

Step 1: Set Microsoft Office SharePoint

Server 2007 to accept tokens from the
Contoso federation server
In this step, we reconfigure the SharePoint site that is installed on CONTOSOSRV02 so that it
can accept tokens from AD FS 2.0:
 Configure the SharePoint site with a custom Role and Membership provider. The SharePoint
site application code calls this Role and Membership provider to validate a user and role
information and also get user information at invite and access time, such as the user name
and what roles the user belongs to.
 Configure the SharePoint site to trust the Contoso Federation Service and accept security
tokens from it.

To configure the SharePoint site to trust and use the Contoso federation server
1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Click Start, All Programs, click Microsoft Federation Extensions for SharePoint, and
then click Federation Utility for SharePoint 3.0.
3. For the Administrator Configuration file location, browse to
c:\inetpub\wwwroot\wss\VirtualDirectories\37101 and select web.config, and then
click Next.

Note
SharePoint creates the administrator configuration folder with random number. In
this case, it was created in folder 37101. It might be different for you.
4. For the Application configuration location, browse to
 c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443, and then select
web.config.
5. For the application URI, type https://docs.contoso.com.
6. For SharePoint Security Zone for the Application, select Extranet, and then click
Next.
7. For STS WS-Federation metadata document location, type
https://sts1.contoso.com, and then click Next.
8. On the next screen, keep Disable certificate chain validation, and then click Next.
9. On the next screen, keep the No encryption option selected, and then click Next.
10. Click Next again, and then click Finish. After you click Finish, it will take few minutes to
configure.
11. Click OK when the SharePoint site is fully configured.

Step 2: Add the Domain Admins group as

Administrator for the SharePoint site
In this step, we grant full access to the SharePoint site to users who belong to the
Domain Admins group.

To add the Domain Admins group to the Administrators group for the SharePoint site
1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Click Start, Administrative Tools, and SharePoint 3.0 Central Administration.
3. On the Central Administration (http://contososrv02:37101) page, click the Application
Management tab.
4. On the Application Management page, click Policy for Web application.

On the next page, we change to the SharePoint site that we are actually configuring.
5. Click the Web Application drop-down list, and then click Change Web Application.
6. In the Select Web Application window that pops up, click Sharepoint:80 for the site to
be configured.

7. On the Policy for Web Application page, click Add Users.

8. In the Zones drop-down list, select the Extranet zone to which we will add users, and
then click Next.
9. On the next page, we add the Domain Admins role. In the Users text box, type
Role#Domain Admins. To give Domain Admins Full Control permissions, select the
check box for Full Control, and then click Finish.

Note
The Role# prefix tells the custom Role provider that Domain Admins is a role. If
you add Domain Admins without this prefix, Domain Admins are treated as users.
10. On the next page, you see the Domain Admins role added with full control of the site.
Step 3: Configure the Contoso federation
server to issue tokens to the SharePoint site
In this step, we configure the federation server in the Contoso domain to issue tokens to the
SharePoint site. That is, we add the SharePoint site as the relying party. We also configure the
Contoso federation server to use Active Directory as the source of role and user information.

To add the SharePoint site as a relying party for the Contoso federation server
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative
Tools, and then click AD FS 2.0 Management.
3. After the snap-in is loaded, in the right pane, Required: Add a trusted relying party.

4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to
begin adding the SharePoint site as a relying party.
5. On the Select Data Source page, keep the default option selected, and then type the
following URL:
https://docs.contoso.com/_LAYOUTS/images/443/federationmetadata/2007-
06/federationmetadata.xml.
This is the location where the SharePoint federation metadata file is located, which was
produced when we ran the tool on the ContosoSrv02 server.
 6. Click Next to go to the Specify Display Name page, where you can enter a display
name for the SharePoint site. Type SharePoint Docs Site on Contoso, and then click
Next.
7. On the Choose Issuance Authorization Rules, keep the default option selected, and
then click Next.
8. Click Next, and then click Close to finish adding the SharePoint site as a relying party
and start the Rules Editor to configure which claims will be sent to the SharePoint site.

Now that we have added the SharePoint Site as a relying party, we configure the claims to send
to it.

To configure the claims to be sent to the SharePoint site

1. In the Rules Editor, click Add Rule.
2. In the Select Rule Template page, keep the default option Send LDAP Attributes as
Claims selected, and then click Next.
3. On the Configuration Rule page, type Outgoing Name and Role Claim for
SharePoint in the Claim rule Name field. For the Attribute store, select
Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the
outgoing Name claim, Token-Groups – Unqualified Names for the Role claim, and E-
Mail-Addresses for the outgoing E-mail Address claim, and then click Finish.
 4. Click OK to close the Rules Editor.

Step 4: Add new roles to the SharePoint site

Now we add a few new roles to the SharePoint site that will have restricted access. We add a role
called DrugTrial1Admins that will have administrator access to site. We then add another role
called DrugTrial1Auditors that will have visitor access to the SharePoint site. We do this by
accessing the SharePoint site as an Administrator. The Administrator account belongs to the
Domain Admins Role/Group, and it has full access to the SharePoint site.

To add the DrugTrial1Admins role with administrator access to the SharePoint site
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Navigate to the SharePoint site by going to https://docs.contoso.com/. The site redirects
 you to the STS login page (as shown below) and asks you to authenticate to the STS.
3. Sign in to the SharePoint site using the administrator credentials by typing
Contoso\administrator for the user name and demo!23 for the password.

4. Back on the SharePoint site, on the Site Actions menu, click Site Settings, and then
click People And Groups.
5. To add a group to the Home Owners group, click the Home Owners link in the Groups
pane.
6. On the next page, click New, and then click Add Users.
7. In Users/Groups, type Role#DrugTrial1Admins, and then click OK.
On the next page, you see Role#DrugTrial1Admins as a member of the Home Owners group.

To add the DrugTrial1Auditors role with visitor access to the SharePoint site
1. In the browser window that you opened to the SharePoint administration site previously,
under Groups, click Home Visitors.
2. On the next page, click New, and then click Add Users.
3. In the input box, type Role#DrugTrial1Auditors, and then click OK.
4. Role#DrugTrial1Auditors appears in the Home Visitors group.

To verify that the new roles are working when you access the SharePoint site
1. Close the browser window, reopen Internet Explorer, and navigate to
https://docs.contoso.com.
2. On the STS sign in page, sign in using DanielW's credentials (Username:
contoso\danielw, Password: demo!23), who is a member of DrugTrial1Admins group.
3. The STS logs you in and redirects you back to Docs.contoso.com with a token that
contains the role of DrugTrial1Admins. The user name that you logged on with
(danielw@contoso.com) will appear in the SharePoint site, and you will have full access
to the SharePoint site because the user belongs to a group (DrugTrial1Admins) that has
full access to the site.
Step 5: Configure the Contoso federation
server to accept tokens from the Fabrikam
federation server
In this step, we configure the federation server at Contoso to trust the federation server at
Fabrikam and accept security authorizations from it. To this we add a claims provider trust for the
Fabrikam federation server at the Contoso federation server. We also configure the federation
server at Contoso to accept claims only if the values presented meet with certain restrictions.

To add the Fabrikam federation server as a claims provider at the Contoso federation
server
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Open the AD FS 2.0 Management console.
On the Start menu, click Administrative Tools, and then click AD FS 2.0 Management.
3. After the AD FS 2.0 console is loaded, expand Trust Relationships. Click Claims
Provider Trust, and then, in the Actions pane, click Add Claims Provider Trust.

4. The Add Identity Provider Wizard opens. Click Start to begin the wizard.
5. On the Choose Data Source page, click Import identity provider configuration from
federation metadata on the network. For Federation metadata URL or host name,
type sts2.fabrikam.com, and then click Next.
6. On the next page, type a name for the identity provider (Fabrikam Identity Provider),
and then click Next.
7. Click Next on the screen that appears, and then click Close when the wizard finishes
saving the policy.
When the wizard exits, the Rules Editor opens and we can specify which claims (and the
values for those claims) to accept from the Fabrikam federation server. In the Rules
Editor, we are going to add two new rules. In the first rule, we will only pass through the
email claim if it ends with "@fabrikam". For the second rule, we will only pass through the
Role claim if it has a value of "DrugTrial1Auditors".

To configure the claims acceptance policy for the Fabrikam identity provider
1. In the Rules Editor, click Add Rule.
2. In the Select Rule Template window, click Pass Through or Filter an Incoming Claim
for the Claim rule template, and then click Next.
3. For the Claim rule name, type Email Filter. For the Incoming Claim Type, select E-
Mail Address, and then click Pass through only claims values that match a specific
email suffix value. For Email suffix value, type fabrikam.com, as shown in the
following illustration, and then click Finish.
4. For the second rule, click Add Rule.
5. In the Select Rule Template window, select Pass Through or Filter an Incoming
Claim for the Claim rule template, and then click Next.
6. For the Claim rule name, type Role Filter. For the Incoming Claim Type, select Role,
and then click Pass through only a specific claims value. For Incoming claim value,
type DrugTrial1Auditors, as shown in the following illustration, and then click Finish.
7. Click OK to exit the claims editor.
We now go back and update the relying party policy of Contoso that specifies how to transfer the
incoming claims to the outgoing claims.

To update the claims issuance policy for the SharePoint site on the Contoso federation
server
1. In the AD FS 2.0 Management console, in the console tree, expand Trust
Relationships, and then click Relying Party Trusts.
2. In the details pane, click SharePoint Docs Site on Contoso.
3. On the Action menu, click Edit Claim Rules.
4. In the Rules Editor, we add two new rules. In the first rule, we are just going to pass
through the Role claim. Click Add Rule.
5. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim
for Claim rule template, and then click Next.
6. For the Claim rule name, type Role pass through, select Role for Incoming claim
type, and then click Finish. Click Yes in the dialog box that appears.
 We now add the second rule to transform the incoming e-mail claim, from Fabrikam, to a
name claim that the SharePoint site is expecting.
7. Click Add Rule.
8. On the Select Rule Template page, click Transform an Incoming Claim for Claim rule
template, and then click Next.
9. For the Claim rule name, type Email to Name transform, for Incoming claim type,
select E-Mail Address, and for Outgoing claim type, select Name. Keep the default
options selected, and click Finish. Click Yes in the dialog box that appears.
 10. Click OK to exit the Rules Editor.

Step 6: Configure Fabrikam to federate and

issue tokens to Contoso
In this step, we configure the federation server at Fabrikam to issue tokens to the federation
server at Contoso to enable federation; that is, we add the Contoso federation server as a relying
party on the Fabrikam federation server. We also configure the claims that the federation server
at Fabrikam should send to the federation server at Contoso.

To add the Contoso federation server as a relying party on the Fabrikam federation
server
1. Log on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator with "demo!23"
 as the user password.
2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative
Tools, and then click AD FS 2.0 Management.
3. After the snap-in is loaded, in the right pane, click the link Required: Add a trusted
relying party.

4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to
begin adding the SharePoint site as a relying party.
5. On the Select Data Source page, keep the default option selected, click Import data
about the relying party published online or on a local network, type
sts1.contoso.com, and then click Next.
6. On the Specify Display Name page, type Contoso STS for a display name, and click
Next.
7. Complete the rest of the wizard with the default options selected. Click Close at the end
to start the Rules Editor.

To configure claims for the Contoso federation server relying party

1. In the Rules Editor, click Add Rule.
2. In the Select Rule Template page, keep the default option Send LDAP Attributes as
Claims selected, and then click Next.
3. On the Configuration Rule page, type Outgoing Email address claim in the Claim
rule Name field. For the Attribute store, select Active Directory. In the LDAP Attribute
column, select E-Mail-Addresses for the outgoing E-Mail Address claim, and then click
Finish.
 Add another rule so that Role claim is sent only if the user belongs to the
DrugTrial1Auditors group and the value for that claim is going to be DrugTrial1Auditors.
To add this rule:
4. Click Add Rule.
5. In the drop-down menu, select Send Group Membership as a Claim, and then click
Next.
6. For the Claim rule name, type Send Role Claim.
7. Then, click Browse, type DrugTrial1Auditors, click Check Names, and then click OK.
8. For the outgoing claim type, select Role and for outgoing claim value, type
DrugTrial1Auditors, and then click Finish.
9. Click OK to close the Rules Editor.

To verify that the Fabrikam identity provider is working properly

1. Remain logged on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator.
2. Open Internet Explorer (make sure no other instances of Internet Explorer were already
open), and navigate to the docs site at https://docs.contoso.com, which redirects you to
the STS login page.
3. At the Contoso STS sign-in page, select Fabrikam Identity Provider from the drop-down
list, and then click Continue to Sign In.
4. On the Fabrikam sign-in page, sign in using the credentials of Frank Miller with the
username fabrikam\frankm and password demo!23.
After you are signed in, you will be redirected to the SharePoint site with read-only access to the
site. This is because the group, DrugTrial1Auditors, that FrankM belongs to, has visitor-only
access to the site.

Step 7: Access the SharePoint site

In this step, we access the SharePoint site that is hosted in the Contoso domain from a client
computer in the Fabrikam domain. We attempt to:
1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\frankm with "demo!23" as the user
password.
2. Open Internet Explorer, and then browse to https://docs.contoso.com.
3. The first thing you will see is the Contoso Server Sign-in page with the drop-down list of
Identity Providers. This step is called Home Real Discovery. From the drop-down list, choose
Fabrikam Identity Provider, and then click Continue to Sign In.
4. After you select the button, you navigate to the Fabrikam federation server sign-in pages,
where the Frank will be authenticated using Windows Integrated Authentication. Frank will
not be prompted for credentials.
5. After Frank is authenticated, he will be redirected back to the Contoso STS sign-in pages.
Wehn the Contoso STS verifies that Frank is indeed from Fabrikam, he will be further
redirected to the SharePoint server and have visitor access to the site.

Note
Accessing a document that is present at the SharePoint site directly from Microsoft
Office Word requires Microsoft Office Service Pack 2 (SP2) and Windows Vista®
SP2. Also, for Group Policy changes to take effect from the changes we made in the
previous step, restart the FABRIKAMCLT01 VM before you continue with this step.
 To open a document directly from the SharePoint site using Microsoft Office Word
1.

Note
Accessing a document that is present at a federated SharePoint site directly from
Microsoft Office Word requires Microsoft Office Service Pack 2 (SP2) and
KB969413.
Log on to the FABRIKAMSRV02 computer as user "frankm" with "demo!23" as the user
password.
2. Open Microsoft Office Word.
3. Click the Word Office button, and then click Open.
4. Type the URL of the document that is located on the SharePoint site as follows:
https://docs.contoso.com/Docs/Documents/Contoso%20-
%20Statement%20of%20General%20Terms.docx
5. You should see the same browser experience that you saw when accessing the
SharePoint site using Internet Explorer. After you select your identity provider, you will be
authenticated and the document will be downloaded directly from the federate SharePoint
site.

Step 8: Configure the Contoso federation

server to get values from a SQL data store
In this step, we configure the Contoso federation server to pull role information from a SQL
database (HOL Doctors Role) based on the e-mail address for each user. In this database, we
have three tables for sourcing the roles that we want to use here. We use the e-mail address of
the user who is trying to access the SharePoint site, and we use that e-mail address to look up in
the database what role the user should have.
Table 1(dbo.URT) contains a list of e-mail addresses of doctors, the role that they have, and the
drug trial that they belong to.

Table 2(dbo.TS) contains information about which SharePoint site belongs to which drug trial.
Table 3(dbo.RS) maps the roles in the database to the roles in the Contoso SharePoint site.

To begin using these roles, we must first add these roles to the SharePoint site and give them the
correct access permissions.

To provide access for the SQL-based roles to the SharePoint site

1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Navigate to the SharePoint site by going to https://docs.contoso.com/.
3. The site redirects you to the STS login page and asks you to authenticate to the STS. On
the STS login page, click Sign in using your account at this identity provider, and
then click Sign In. On the next page, sign in using the credentials of administrator as
username contoso\administrator and password demo!23.
4. On the SharePoint site, click Site Actions, click Site Setting, and then click People and
Groups.
5. To add the sp_admins group, in the left pane, click Home Owners, click New, and then
click Add Users.

6. On the new screen, type Role#sp_admin in the text box, and then click OK.
7. Delete the previously added administrator role. Select the Role#DrugTrial1Admins
check box. On the Actions menu, click Remove Users from Group, and then click OK
in the confirmation dialog box.
8. To add the sp_visitor, under Groups, click Home Visitors, click New, and then click Add
Users.
 9. On the next screen, type Role#sp_visitor in the text box, and then click OK.
10. Delete the previously added role. Select Role#DrugTrial1Auditors. In the Actions pane,
click Remove Users from Group, and then click OK in the confirmation dialog box.

Now, we update the Contoso federation server to also pull role claim values from the SQL
database on this computer.

To add a local SQL database as an attribute store for the Contoso federation server
1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as
CONTOSO\Administrator with "demo!23" as the user password.
2. Open the AD FS 2.0 Management console (if it is not still open).
On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
3. In the console tree, expand Trust Relationships, and then click Attribute Stores.
4. In the Actions pane, click Add Attribute Store.
 5. Clicking the link opens the Add an Attribute Store dialog box. Type HOL Doctors Role
as the display name. For Attribute Store Type, select SQL, type the following
connection string, and then click OK to finish. For your convenience, this command is in a
text file on the desktop, called DataBase Connect:
Data Source=CONTOSOSRV01;Initial Catalog=HOL Doctors Role;Integrated Security=True

Now that we have connected to the database, we must update the SharePoint rules in the
Contoso federation server regarding where to get role claim values:
To update policy to pull role claim values from the SQL attribute store
1. In the console tree of the AD FS 2.0 Management console, under AD FS 2.0 and Trust
Relationships, click Relying Party Trusts. In the Replying Party Trusts list, click
SharePoint Docs Site on Contoso, and then in the Actions pane, click Edit Claim
Rules.

2. The Rules Editor opens. To create a new custom rule, click Add Rule.
3. In the new window that appears, click Send Claims Using a Custom Rule, and then
click Next.
4. In the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The
custom rule is presented here. For the Claim rule name, type Trial Lookup and for
Custom rule, type the following, and then click Finish. (For convenience, this role is
saved in a file called Custom Rule1 on the desktop. You can copy and paste it from
there.)
=> add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query = "select
trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =
"https://docs.contoso.com/");
5. Add a second custom rule. In this rule, we use the previously queried trial information
with the user’s e-mail address and discover which role the user belongs to. To add
another custom rule, click Add Rule, and then select Send Claims Using a Custom
Rule, and then click Next. For Claim rule name, type User Role and for Custom rule,
type the following presented here. (For convenience, this role is saved in a file called
Custom Rule2 on the desktop. You can copy and paste it from there.)
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"] =>
add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"),
query = "select role from dbo.URT where dbo.URT.Trial = {1} and
dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);
6. Now we create a third custom rule. In the third rule, we use a previously queried role
claim to query the SharePoint role claim and assign the value to the outgoing role claim.
To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,
and then click Next. For Claim rule name, type SharePoint Role and for Custom rule,
type the following presented here. (For convenience, this role is saved in a file called
Custom Rule3 on the desktop. You can copy and paste it from there.)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"] =>
issue(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "select
dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param = c.Value);
7. Click OK to save these new rules and exit the Rules Editor.
Now that the issuance rules are in place to pull claims from the SQL-based attribute store, we can
test the new policy by accessing the SharePoint site. First, we access the site from within
Contoso.

To verify revisions in access policy to the SharePoint site from within Contoso
1. Log on to the CONTOSOSRV01 computer as CONTOSO\administrator with "demo!23"
 as the user password.
2. Navigate to https://docs.contoso.com. (Make sure that you opened a new browser
window and that there were no browser windows already open.)
3. When you are redirected to the STS login page, you will see sts1.contoso.com in the
drop-down menu. Click Continue to Sign In.
4. On the Username and password logon page, type the following information, and then
click Sign In. If you are prompted to save credentials, click No.
Username: contoso\danielw
Password: demo!23
5. When you are logged in to the site, you see that Daniel has full access to the SharePoint
site because he belongs to the Admin group in the SQL database. The Admin group
maps to the sp_admin group on the SharePoint site with full site access.

Now that you have verified that Daniel from the Contoso domain has write access, try logging in
to the SharePoint site from a computer in the Fabrikam domain with Frank’s account.

To verify revisions in access policy to the SharePoint site from within Fabrikam
1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\frankm with "demo!23" as the
user password.
2. When you are logged in, open Internet Explorer, and navigate to
https://docs.contoso.com.
Because of the Auto Card policy changes that we implemented earlier, your Fabrikam
Information Card will be automatically selected and used to sign you in to the Contoso
SharePoint site. You will be logged into the site with read-only access. This is because
the user FrankM belongs to the Auditors group, that group maps to the sp_visitor group
on the SharePoint site, and that group has read-only access to the site.

Step 9: Configure AD RMS for digitally

protecting documents
In this step, we configure Active Directory Rights Management Services (AD RMS) for use in
protecting selected documents that are stored in the documents library on the SharePoint site. As
part of the setup for this lab, the AD RMS role is already installed on the CONTOSOSRV01 VM.
In this step, you add role services and the Active Directory Federation Services (AD FS) Web
Agent to enable AD RMS to support this scenario configuration.

Install the AD FS Web Agent

You can use the Add Roles Wizard to add the AD FS Web agent on the CONTOSOSRV01 VM.
To install the AD FS Web agent on ContosoSrv01
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. To start the Add Roles Wizard, click Start, click Administrative Tools, click Server
Manager, and then, in the right pane, click Add Roles.

3. On the next page, click Active Directory Federation Services, and then click Next.
4. On the next page that appears, click Next.
5. On the next page that appears, click AD FS Web Agent. Select only the Claims-aware
Agent check box, and then click Next.
 6. On the next page, click Install, and then click Close after the installation is complete.

Now we need to add a Role Service for AD RMS.

Install AD RMS Role Services

To install AD RMS Role Services on ContosoSrv01

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with
"demo!23" as the user password.
2. Open Server Manager and start the Add Roles Wizard
To start the Add Roles Wizard, click Start, click Administrative Tools, and then click
Server Manager.
3. In the Roles section, scroll down to Active Directory Rights Management Services,
and then click Add Role Services.
4. When the wizard opens, select Identity Federation Support, and then click Next.
 5. Type the federation server name. In this case, type sts1.contoso.com, and then click
Validate.
6. After the name is validated, click Next.
7. On the next page, click Install.
8. After the installation is complete, click Close.

Now that we added all the roles and services, we have to turn AD RMS on for federation.

To enable federation support for the AD RMS role

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with
"demo!23" as the user password.
2. Open the Active Directory Rights Management Services console .
3. To open the Active Directory Rights Management Services console, click Start, click
Administrative Tools, and then click Active Directory Rights Management Services.
The Active Directory Rights Management Services snap-in should appear in Microsoft
Management Console (Mmc.exe).
4. Click Yes in the dialog box that appears.

5. In the console tree, expand the server name (contososrv01), expand Trust Policies,
right-click Federated Identity Support, and then click Enable Federated Identity
Support.
Because AD RMS is running under a service account (adrmssrvc), we must ensure that this
account has privileges to write to security audit logs.

To allow the AD RMS service account to write to security audit logs

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator with
"demo!23" as the user password.
2. Open the Group Policy Management snap-in. Click Start, point to Administrative Tools,
and then click Group Policy Management.
3. In the console tree, expand Forest: Contoso.com, expand Domains, expand
Contoso.com, expand Group Policy Objects, right-click Default Domain Controllers
Policy, and then click Edit.
The Group Policy Management Editor opens.
4. In the console tree, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Local Policies, and then click
User Rights Assignment.
5. In the details pane, double-click Generate security audits.
The Generate security audits Properties dialog box appears.
6. Click Add user or groups, and then click Browse.
7. In the Select Objects dialog box, type adrmssrvc, click Check Names, click OK, and
then click OK again.
The Generate security audits Properties dialog box should appear as shown in the
following screen shot.
 8. Click OK to exit the dialog box.

So that the changes can take effect, do the following:

 Click Start, right-click Command Prompt, and then click Run as Administrator.
 At the command prompt, type iisreset, and then press ENTER. After the command runs,
type exit, and then press ENTER to close the command prompt window.
We are now ready to integrate AD RMS with AD FS 2.0. In AD FS 2.0 we are going to add two
relying parties. One relying party is for the AD RMS certificate service, and the other is for the
AD RMS licensing service.

To add a relying party for the AD RMS certificate service

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator.
2. Open the AD FS 2.0 Management console.
On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
3. In the console tree, click AD FS 2.0, and then, in the right pane under Actions, click Add
Relying Party Trust.
When the Add Relying Party Wizard opens, click Start.
4. On the Select Data Source page, click Enter data about the relying party manually,
and then click Next.

5. On the Specify Display Name page, in Display name, type AD RMS Certification
Service, and then click Next.
6. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click
Next.
 7. On the Configure URL page, for WS-Federation Passive URL, type
https://adrms.contoso.com/_wmcs/certificationexternal/, and then click Next.
8. On the Configure Identifiers page, click Next.
9. On Choose Issuance Authorization Rules page, keep the default option, Permit all
users to access this relying party, selected and click Next.
10. On the next page, click Next.
11. On the Finish page, click Close.
This opens the Rules Editor. The AD RMS Licensing Service is expecting the e-mail
address of the user.

Now, we create two rules. In the first rule, we take the e-mail address for the user from the
Lightweight Directory Access Protocol (LDAP) attribute store and send it as an AD FS e-mail
address claim. In the second rule, we take the incoming e-mail claim from Fabrikam and convert
that also into an AD FS e-mail claim.
To update policy to process e-mail claims for the AD RMS Licensing Service
1. In the Rules Editor, click Add Rule. In the new window that appears, select Send LDAP
Attributes as Claims, and then click Next.
2. For the Claim rule name, type Email as AD FS 1.x Email. For Attribute store, select
Active Directory. In LDAP attribute, select E-Mail-Addresses; and in Outgoing Claim
Type, select AD FS 1.x E-Mail Address. Click Finish.

3. For the second rule, click Add Rule. In the new window that appears, select Transform
an Incoming Claim, and then click Next.
4. For the Claim rule name, type Transform incoming Email to AD FS 1.x Email. For
Incoming claim type, select E-Mail Address; and in Outgoing claim type, select
AD FS 1.x E-Mail Address and then click Finish. Click Yes in the dialog box that
appears.
5. For the third rule, click Add Rule. In the new window that appears, select Transform an
Incoming Claim, and then click Next.
6. For the Claim rule name, type Transform AD FS 1.x Email to Name Identifier. For
Incoming claim type, select AD FS 1.x E-Mail Address; and in Outgoing claim type,
select Name ID, and in Outgoing name ID format, select Email, and then click Finish.
Click Yes in the dialog box that appears.
 7. Click OK to exit the Rules Editor.

To add the AD RMS Licensing Service, repeat the same steps that you completed to add the
certification service, except give it a friendly name of AD RMS Licensing Service and enter the
URL as https://adrms.contoso.com/_wmcs/licensingexternal/.

To add a relying party for the AD RMS Licensing Service

1. Remain logged on to the CONTOSOSRV01 computer as CONTOSO\Administrator.
2. Open the AD FS 2.0 Management console.
On the Start menu, point to Administrative Tools, and then click AD FS 2.0
Management.
3. In the console tree, click AD FS 2.0, and then, in the right pane under Actions, click Add
Relying Party Trust.
4. When the Add Relying Party Wizard opens, click Start.
5. On the Select Data Source page, click Enter data about the relying party manually,
 and then click Next.

6. On the Specify Display Name page, in Display name, type AD RMS Licensing
Service, and then click Next.
7. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click
Next.
8. On the Configure URL page, in WS-Federation Passive URL, type
https://adrms.contoso.com/_wmcs/licensingexternal/, and then click Next.
9. On the Configure Identifiers page, click Next.
10. On Choose Issuance Authorization Rules page, keep the default option Permit all
users to access this relying party selected, and then click Next.
11. Click Next, and then click Close.
Clicking Close starts the Rules Editor.

As in the previous step, add three rules:

1. In the first rule, send out the E-Mail Address as AD FS 1.x e-email claim, and create it from
the LDAP attribute store.
2. In the second rule, transform the incoming E-mail claim to outgoing AD FS 1.x E Mail address
claim shown above.
3. For the third rule, transform the AD FS 1.x E Mail claim to Name ID email claim as shown
above.
Now that we have configured AD RMS server with AD FS 2.0 server, we have to configure
AD RMS to work with SharePoint.

To configure AD RMS service for the SharePoint site

1. Log on to ContosoSrv01 with Administrator credentials.
2. Open Windows Explorer and navigate to the folder where Internet Information Services
was installed. By default, the folder path is c:\Inetpub\wwwroot\_wmcs\Certification.
3. Right-click the ServerCertification.asmx file, and then click Properties.
4. On the Security tab, click Edit. In the dialog box that appears, click Add.
5. In the Enter the object names to select field, type AD RMS Service Group, and then
click OK.
6. In the Permissions lists for AD RMS Service Group, select the Allow check box for
both Read and Read & Execute permissions.
7. To add ContosoSrv02 server to permissions list, click Add.
8. Click Object Types, select the Computers check box, and then click OK.
9. Type ContosoSrv02 and click OK.
10. Click Start, and then click Command Prompt.
11. Type iisreset, and then press ENTER.
 12. Click OK and then OK again to close the Properties dialog box.

Before we try out the scenario, we must do one more thing. We must make changes to the
SharePoint site so that any document leaving a document library should be automatically rights
protected for the user who is downloading it. Also, we must make sure that the SharePoint server
is aware of where the AD RMS server is located.
First, to configure the SharePoint server where the AD RMS server is located, we log in to the
SharePoint central administration Web site.

To configure the SharePoint server to use AD RMS to automatically rights-protect the

document in the library
1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with the
password "demo!23".
2. Click Start, Administrative Tools, and SharePoint 3.0 Central Administration. In the
Central Administration site, click Operations under Central Administration.
3. On the Operations page, under Security Configuration, click Information Rights
Management.
4. On the Information Rights Management page, verify that the Use the default RMS
server specified in Active Directory option is selected and that there are no warnings
around it.
 5. Click OK to save your changes.

Now that we have configured AD RMS to work with the SharePoint server on CONTOSOSRV02,
we will configure one of the document libraries on the SharePoint site at https://docs.contoso.com
to be rights-protected. The level of protection will be configured in such a way that any document
that is downloaded from the protected document library will be restricted based on the e-mail
address of the user who is downloading it.

To configure AD RMS-based protection on a document library on the SharePoint site

1. Remain logged on to the CONTOSOSRV02 computer as CONTOSO\Administrator, and
close any previously opened browser windows.
2. Open a new Internet Explorer window, browse to http://docs.contoso.com, and then sign
in using administrator credentials.
3. After you are authenticated with the Contoso STS, you are back at the SharePoint site.
Click the Document Center link in the top right side of the site, as shown in the following
screen shot.
4. On the Document Center page, click the Documents link in the left column. This is the
document library that we are going to protect with AD RMS.
5. On the Documents page, click Settings, and then click Document Library Settings.

6. On the Customize Documents page, click Information Rights Management.

7. On the Information Rights Management Settings page, select the Restrict
permission to documents in this library on download check box. In Permission
policy title, type Contoso Confidential Document, and in Permission policy
description, type Federated Document as shown in the following screen shot. Click OK
when you are finished making these changes.
At this point, we have successfully configured the SharePoint site with AD RMS. We have also
configured one of the document libraries to automatically use Information Rights Management
when a user downloads a document from the site.
In the RMS scenario, the token between the AD FS server in Fabrikam domain and AD FS server
in Contoso domain is chunked and transferred using HTTP headers. There is a limitation in the
Wininet stack. It times out after certain number of redirects and the encrypted token between the
two servers takes more than five redirects. To demonstrate this scenario, we will have to disable
token encryption between the servers. This is safe to do because the channel over which the
token is transferred is protected by SSL encryption.

To disable the token encryption between Fabrikam and Contoso AD FS 2.0 servers
1. Log on to FabrikamSrv01 server with administrator credentials.
2. Open the AD FS 2.0 Management console: click Start, click Administrative Tools, and
then click AD FS 2.0 Management.
3. In the left-hand column, under AD FS 2.0, double-click Trust Relationships, and then
 click Relying Party Trusts.
4. In Relying Party Trusts, right-click Contoso STS, and then click Properties.

5. In the Properties dialog box, on the Monitoring tab, clear Monitor this relying party’s
federation metadata for changes, and then click Apply.
 6. On the Encryption tab, click Remove. In the dialog box that appears, click Yes, and then
press OK.

We now need to make some changes to keys in the Windows registry on the Fabrikam client
computer (FABRIKAMSRV02) so that the AD RMS client knows how to find the identity provider
that it will use to authenticate with the AD RMS server at Contoso Pharmaceuticals
(CONTOSOSRV01) based on the e-mail address of the user that is download the document.

To configure the Fabrikam client computer to be able to find and use the Contoso
AD RMS server
1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\Administrator with "demo!23"
for the password.
2. Open the Registry Editor. Click Start, click Run, type regedit, and then click OK.
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft key,
 and then select it.

Note
For a 32-bit operating system, you can skip the Wow6432node part of the
registry key path.
3. On the Edit menu, point to New, and then click Key to create a new registry key. Name
the new key MSDRM.
4. Under the MSDRM key, create a new key.
With MSDRM selected, on the Edit menu, point to New, and then click Key to create a
new registry key. Name the new key federation.
5. Under the federation key, create a new value of String (REG_SZ) type. For the Name,
use FederationHomeRealm, and for Value use
http://sts2.fabrikam.com/adfs/services/trust. The result should look like the following
screen shot.

To have a Fabrikam user test AD RMS protection for protected document library on the
Contoso SharePoint site
1. Log off the FABRIKAMSRV02 computer as FABRIKAM\Administrator.
2. Log back on as FABRIKAM\frankm with "demo!23" as the password.
3. Open a new Internet Explorer window, browse to http://docs.contoso.com, and sign in to
the site.
4. After you are signed in at the SharePoint site, navigate to the Documents library that we
protected in the previous procedure.
5. In the Documents library page, click the link to the Contoso – Statement of General
Terms document.
6. Observe the document as it opens in Microsoft Office Word. In Word, click View
Permissions to show that the document is rights protected and cannot be edited, copied,
printed, saved, accessed programmatically, or otherwise fully controlled by the user
(FrankM). This is because in the SharePoint library settings we did not give anyone
permissions to perform these actions on the document when we modified the security
 settings previously in this step.

Step 10: Configure a SharePoint document

library for stronger authentication
In this step, we create a new SharePoint site that contains confidential information. We will set up
this site so that users who access it must authenticate with their smart cards. To simulate
authentication with smart cards we will use a software-based X.509 certificate protected by a PIN
(1@234abcd). To achieve this scenario, we will integrate a sample library that handles requests
for strong credentials built with Windows Identity Foundation. The library is built from the sample
(http://go.microsoft.com/fwlink/?LinkId=179918).

To create a new SharePoint site

1. Logon to CONTOSOSRV02 with domain administrator credentials.
2. Browse to https://docs.contoso.com and authenticate as CONTOSO\Administrator with
password “demo!23”.
3. Click the Site Actions tab.
4. Click the Create Site link.

5. For site settings, enter the corresponding values for the following fields and leave rest of
 the settings as default:

Title Confidential

Description Contains confidential documents

URL Name confidential

Select a template Document Workspace

6. Click the Create button.

7. After creating the new site, close the browser.

Now we will integrate the sample claims authorization library located in “C:\StepUpAuthentication”
with SharePoint.

Note
If you are using the VMs that were pre-created a sample dll has been created and placed
in the folder.
1. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then click
OK.
2. At the command prompt, type cd “c:\Program Files\Microsoft.NET\SDK\v2.0 64bit\bin”,
and press ENTER.
3. Type gacutil.exe /i c:\ StepUpAuthentication\ClaimsAuthorization.dll /f. This adds the
assembly into the GAC.
4. Now we need to edit the web.config of docs.contoso.com SharePoint site. Type cd
c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443 and press ENTER.
5. Type notepad.exe web.config.
6. Locate the element <assemblies> (it is located under
<configuration>/<system.web>/<compilation>). Add the following line:
<add assembly="ClaimsAuthorization, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=400a0b56d39a55eb"/>

7. Locate the element <httpModules> (it is located under <configuration>/<system.web>).

Add the following two lines immediately after all other <add> elements (just before the line
with the end tag </httpModules>).
<add name="ClaimsAuthorizationModule"
type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

<add name="StepUpAuthenticationModule"
type="ClaimsAuthorization.StepUpAuthenticationModule, ClaimsAuthorization,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=400a0b56d39a55eb"/>
 Now, we will author the policy that would only grant access to Confidential site to users who
have authenticated with the X.509 certificate.
8. In Notepad, locate the element <service> under
<configuration>/<microsoft.identityModel>. Add the following lines immediately after the
line with the tag <service>.
<claimsAuthorizationManager
type="ClaimsAuthorization.CustomClaimsAuthorizationManager">

<strongAuthenticationTypes>

<authenticationType
type="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"/>

<authenticationType
type="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsc
lient"/>

</strongAuthenticationTypes>

<authorization>

<policy path="/confidential" >

<allow claimType="*" strongAuthentication="true"/>

</policy>

<policy path="/" >

<allow claimType="*"/>

</policy>

</authorization>

</claimsAuthorizationManager>

9. Save the changes to web.config. In the menu of Notepad, click File, then click Save. Close
Notepad.

To use the stronger authentication type to access the SharePoint site

1. Log on to the FabrikamSrv02 computer as FABRIKAM\frankm with “demo!23” as the
user’s password.
2. Browse to https://docs.contoso.com.
3. Select Fabrikam from the drop-down list at the Contoso sign-in page and click the
Continue to Sign In button.
4. At the Fabrikam sign in page, type the user name as fabrikam\frankm and the password
as demo!23, and then click Sign In.
5. Once logged into the site, click the Confidential tab to access the confidential site.
6. Because you need to authenticate with a smart card you will see the PIN prompt dialog
 box. Select the radio button Grant Permission, and type 1@234abcd as the certificate’s
PIN.
7. You are now authenticated with a smart card and can log in to Confidential site.

Step 11: Configure AD FS 2.0 on

ContosoSrv01 to deny tokens to users
In this step, we will configure AD FS 2.0 on contososrv01 so that it does not issue tokens for
SharePoint server to users who do not belong to either the Domain Admins, sp_visitor, or
sp_admin groups.

To configure AD FS 2.0 to authorize users only in certain roles

1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as
CONTOSO\Administrator with "demo!23" as the user password.
2. Open the AD FS 2.0 Server Management Console (if it is not still open).
3. On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
4. In the console tree, double-click Trust Relationships, and then click Claim Provider
Trusts.
5. In the Claims Provider Trusts column, click Active Directory, and then click Edit Claim
Rules in the right-hand column.
6. In the Rule Editor, click Add Rule and in the wizard, click Next.
7. For the Claim rule name, type Email and Role claim lookup, for Attribute store, select
Active Directory. In the LDAP Attribute column, select E-Mail-Addresses for the
outgoing E-mail Address claim, and Token-Groups – Unqualified Names for the Role
claim, and then click Finish. Click OK to exit the Rules Editor.
8. In the console tree, double-click Trust Relationships, and then click Relying Party
Trusts. In the Replying Party Trusts list, click SharePoint Docs Site on Contoso, and
then in the Actions pane, click Edit Claim Rules.
9. In the Rules Editor, select the top-most rule in the list, and then click Remove Rule. Click
Yes in the dialog box that appears.
10. Click the Issuance Authorization Rules tab, select the only single item in the list, and
then delete it by clicking Remove Rule.
11. Now we are going to add three rules to query the role information from the SQL
database, based on the e-mail address. The rules are custom rules, and they are the
same rules that we added in the previous section. For the first rule, click Add Rule. In the
 wizard that appears, select Send Claims Using a Custom Rule, and then click Next. In
the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The custom
rule is presented here. For the Claim rule name, type Trial Lookup, and for Custom
rule, type the following, and then click Finish. (For convenience, this role is saved in a
file called Custom Rule1 on the desktop. You can copy and paste it from there.)
=> add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query =
"select trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =
"https://docs.contoso.com/");

12. Add a second custom rule. In this rule, we use the previously queried trial information
with the user’s e-mail address and discover which role the user belongs to. To add
another custom rule, click Add Rule, select Send Claims Using a Custom Rule, and
then click Next. For Claim rule name, type User Role, and for Custom rule, type the
following, and then click Finish. (For convenience, this role is saved in a file called
Custom Rule2 on the desktop. You can copy and paste it from there.)
c1:[Type ==
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

&& c2:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"]

=> add(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"
), query = "select role from dbo.URT where dbo.URT.Trial = {1} and
dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);

13. Now we create a third custom rule. In the third rule, we use a previously queried role
claim to query the SharePoint role claim and assign the value to the outgoing role claim.
To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,
and then click Next. For Claim rule name, type SharePoint Role, and for Custom rule,
type the following, and then click Finish. (For convenience, this role is saved in a file
called Custom Rule3 on the desktop. You can copy and paste it from there.)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"]

=> issue(store = "HOL Doctors Role", types =

("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query =
"select dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param =
c.Value);

14. Now that we have gathered all the role information, we will place three new rules. In each
rule, we will check to see if the role value is one of domain_admins, sp_visitor or
sp_admin. For the first rule, click Add Rule. In the wizard page that appears, keep the
default option, Permit or Deny Users Based on an Incoming Claim, and then click
 Next. On the next page, for Claim rule name, type Permit Domain Admins, for
Incoming claim type, select Role in the drop-down menu, and for Incoming claim
value, type Domain Admins, and then click Finish.

15. For the other two rules, repeat the instructions in step 14 with Claim rule name as
Permit sp_visitor and Permit sp_admin and an Incoming claim value of sp_visitor
and sp_admin.

To try out this scenario, log on to ContosoSrv01 and navigate to https://docs.contoso.com. Sign in
as either contoso\administrator or contoso\danielw at the Contoso sign-in page. You will have
access to the SharePoint site. This is because contoso\administrator belongs to Domain Admins
group in AD DS and danielw maps to sp_admin group, based on the information in the SQL
database.
Try accessing the https://docs.contoso.com from the FabrikamSrv01 computer as
fabrikam\frankm. You will see that Frankm has access to the SharePoint site because frankm’s e-
mail address maps to the sp_visitor role in the SQL database. Now try accessing the
https://docs.contoso.com site as fabrikam\alices. You will see access denied for Alice at the
Contoso AD FS Web site because Alice’s account does not map to any role values for which we
just added rules.
Congratulations! This concludes our walkthrough of federated document collaboration using
Microsoft Office SharePoint Server 2007 with AD FS 2.0.