Professional Documents
Culture Documents
Abstract
This guide provides instructions for using Active Directory Federation Services (AD FS) 2.0 in a
small test lab environment. The purpose is to demonstrate how two fictitious companies can
collaborate on documents using a federated trust that provides claims-based access using
AD FS 2.0. The instructions in this guide should take approximately 90 minutes to complete.
This document is provided "as-is". Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
You may modify this document for your internal, reference purposes.
© 2010 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,
Windows Server, and Windows Vista are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. All other trademarks are
property of their respective owners.
Contents
Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS
2.0 ................................................................................................................................................ 4
About this guide............................................................................................................................ 4
Scenario Overview........................................................................................................................... 5
About the fictional companies ................................................................................................... 5
About the lab configuration ....................................................................................................... 5
About the fictional employees ................................................................................................... 6
About the scenario .................................................................................................................... 7
Step 1: Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso
federation server ........................................................................................................................ 14
Step 2: Add the Domain Admins group as Administrator for the SharePoint site ......................... 15
Step 3: Configure the Contoso federation server to issue tokens to the SharePoint site ............. 20
Step 5: Configure the Contoso federation server to accept tokens from the Fabrikam federation
server ......................................................................................................................................... 33
Step 8: Configure the Contoso federation server to get values from a SQL data store ................ 50
Step 10: Configure a SharePoint document library for stronger authentication ............................ 90
Important
Any modifications that you make to the configuration details in this guide may affect or
limit your chances of setting up this lab successfully the first time.
Microsoft has tested this guide successfully using Windows Server 2008 Hyper-V virtualization
technology.
The instructions in this guide should take approximately 90 minutes or less to complete. Your
time to complete the steps in this guide may vary, depending on whether you have to set up a
computer that is suitable for hosting the virtual lab environment.
Scenario Overview
This section includes background information about the fictional companies in this document. It
also identifies their business goals and briefly describes the technologies that are used to achieve
these goals.
Using AD FS 2.0 to provide role and user access to the SharePoint site
In steps 1 through 4, we configure Microsoft Office SharePoint Server 2007 to use AD FS 2.0
instead of Active Directory or AD DS for obtaining role and user information. In addition, we
configure AD FS 2.0 in the Contoso domain to issue role and user information to the SharePoint
site.
Note
The following sections assume that you are working with the hands-on lab VM images
that are provided for download on the Microsoft Web site. We recommend downloading
the images if your intent is to evaluate the scenario and AD FS 2.0 technology in the
shortest possible time frame. If you have more time and prefer to do so, you can build
your own VM lab images for each of the four computers. This requires considerably more
time to install and configure all the necessary software. For more information, see How to
Set Up the AD FS 2.0 VM Lab Environment
(http://go.microsoft.com/fwlink/?LinkId=179632).
Preinstallation tasks include the following:
Download and extract VMs
Create a new virtual network
Import and start virtual machines
Administrative credentials
To perform all the tasks in this guide, log on to the virtual server computer—and to each of the
four VMs that you create on it—with the local Administrator account for each computer. Where
applicable, user passwords for accounts that are preconfigured as part of the VM images are
provided.
Note
For configuring the VMs using the images from the Microsoft Download Center, you will
need 100 GB of available disk space on the computer that you use to host the four VMs
that are referenced in this guide.
WS2008R2Fullx64Ent.zip file contains the base VHD that must be copied to the virtual hard disks
folder of each one of the VMs. For example, for ContosoSrv01, copy the extracted
WS2008R2Fullx64Ent.vhd from WS2008R2Fullx64Ent.zip to c:\VM\ContosoSrv01\Virtual Hard
Disks\ folder. Repeat the same step for ContosoSrv02, FabrikamSrv01, and FabrikamSrv02.
Repeat steps 1 through 4 for all named VMs in the previous table. We recommend that you not
start all four VMs at the same time. Instead, it’s preferable for performance reasons to start each
VM by itself. When the VM is turned on and running, start another VM. Also, the order in which
you start VMs by using Hyper-V Manager is important. For best results, start the four VMs one at
a time in the following order: CONTOSOSVR01, FABRIKAMSRV01, CONTOSOSRV02,
FABRIKAMSRV02.
If, after turning the VM on and logging in, you are prompted to restart the VM, choose to restart.
To configure the SharePoint site to trust and use the Contoso federation server
1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Click Start, All Programs, click Microsoft Federation Extensions for SharePoint, and
then click Federation Utility for SharePoint 3.0.
3. For the Administrator Configuration file location, browse to
c:\inetpub\wwwroot\wss\VirtualDirectories\37101 and select web.config, and then
click Next.
Note
SharePoint creates the administrator configuration folder with random number. In
this case, it was created in folder 37101. It might be different for you.
4. For the Application configuration location, browse to
c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443, and then select
web.config.
5. For the application URI, type https://docs.contoso.com.
6. For SharePoint Security Zone for the Application, select Extranet, and then click
Next.
7. For STS WS-Federation metadata document location, type
https://sts1.contoso.com, and then click Next.
8. On the next screen, keep Disable certificate chain validation, and then click Next.
9. On the next screen, keep the No encryption option selected, and then click Next.
10. Click Next again, and then click Finish. After you click Finish, it will take few minutes to
configure.
11. Click OK when the SharePoint site is fully configured.
To add the Domain Admins group to the Administrators group for the SharePoint site
1. Log on to the CONTOSOSRV02 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Click Start, Administrative Tools, and SharePoint 3.0 Central Administration.
3. On the Central Administration (http://contososrv02:37101) page, click the Application
Management tab.
4. On the Application Management page, click Policy for Web application.
On the next page, we change to the SharePoint site that we are actually configuring.
5. Click the Web Application drop-down list, and then click Change Web Application.
6. In the Select Web Application window that pops up, click Sharepoint:80 for the site to
be configured.
8. In the Zones drop-down list, select the Extranet zone to which we will add users, and
then click Next.
9. On the next page, we add the Domain Admins role. In the Users text box, type
Role#Domain Admins. To give Domain Admins Full Control permissions, select the
check box for Full Control, and then click Finish.
Note
The Role# prefix tells the custom Role provider that Domain Admins is a role. If
you add Domain Admins without this prefix, Domain Admins are treated as users.
10. On the next page, you see the Domain Admins role added with full control of the site.
Step 3: Configure the Contoso federation
server to issue tokens to the SharePoint site
In this step, we configure the federation server in the Contoso domain to issue tokens to the
SharePoint site. That is, we add the SharePoint site as the relying party. We also configure the
Contoso federation server to use Active Directory as the source of role and user information.
To add the SharePoint site as a relying party for the Contoso federation server
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative
Tools, and then click AD FS 2.0 Management.
3. After the snap-in is loaded, in the right pane, Required: Add a trusted relying party.
4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to
begin adding the SharePoint site as a relying party.
5. On the Select Data Source page, keep the default option selected, and then type the
following URL:
https://docs.contoso.com/_LAYOUTS/images/443/federationmetadata/2007-
06/federationmetadata.xml.
This is the location where the SharePoint federation metadata file is located, which was
produced when we ran the tool on the ContosoSrv02 server.
6. Click Next to go to the Specify Display Name page, where you can enter a display
name for the SharePoint site. Type SharePoint Docs Site on Contoso, and then click
Next.
7. On the Choose Issuance Authorization Rules, keep the default option selected, and
then click Next.
8. Click Next, and then click Close to finish adding the SharePoint site as a relying party
and start the Rules Editor to configure which claims will be sent to the SharePoint site.
Now that we have added the SharePoint Site as a relying party, we configure the claims to send
to it.
To add the DrugTrial1Admins role with administrator access to the SharePoint site
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Navigate to the SharePoint site by going to https://docs.contoso.com/. The site redirects
you to the STS login page (as shown below) and asks you to authenticate to the STS.
3. Sign in to the SharePoint site using the administrator credentials by typing
Contoso\administrator for the user name and demo!23 for the password.
4. Back on the SharePoint site, on the Site Actions menu, click Site Settings, and then
click People And Groups.
5. To add a group to the Home Owners group, click the Home Owners link in the Groups
pane.
6. On the next page, click New, and then click Add Users.
7. In Users/Groups, type Role#DrugTrial1Admins, and then click OK.
On the next page, you see Role#DrugTrial1Admins as a member of the Home Owners group.
To add the DrugTrial1Auditors role with visitor access to the SharePoint site
1. In the browser window that you opened to the SharePoint administration site previously,
under Groups, click Home Visitors.
2. On the next page, click New, and then click Add Users.
3. In the input box, type Role#DrugTrial1Auditors, and then click OK.
4. Role#DrugTrial1Auditors appears in the Home Visitors group.
To verify that the new roles are working when you access the SharePoint site
1. Close the browser window, reopen Internet Explorer, and navigate to
https://docs.contoso.com.
2. On the STS sign in page, sign in using DanielW's credentials (Username:
contoso\danielw, Password: demo!23), who is a member of DrugTrial1Admins group.
3. The STS logs you in and redirects you back to Docs.contoso.com with a token that
contains the role of DrugTrial1Admins. The user name that you logged on with
(danielw@contoso.com) will appear in the SharePoint site, and you will have full access
to the SharePoint site because the user belongs to a group (DrugTrial1Admins) that has
full access to the site.
Step 5: Configure the Contoso federation
server to accept tokens from the Fabrikam
federation server
In this step, we configure the federation server at Contoso to trust the federation server at
Fabrikam and accept security authorizations from it. To this we add a claims provider trust for the
Fabrikam federation server at the Contoso federation server. We also configure the federation
server at Contoso to accept claims only if the values presented meet with certain restrictions.
To add the Fabrikam federation server as a claims provider at the Contoso federation
server
1. Log on to the CONTOSOSRV01 computer as CONTOSO\Administrator with "demo!23"
as the user password.
2. Open the AD FS 2.0 Management console.
On the Start menu, click Administrative Tools, and then click AD FS 2.0 Management.
3. After the AD FS 2.0 console is loaded, expand Trust Relationships. Click Claims
Provider Trust, and then, in the Actions pane, click Add Claims Provider Trust.
4. The Add Identity Provider Wizard opens. Click Start to begin the wizard.
5. On the Choose Data Source page, click Import identity provider configuration from
federation metadata on the network. For Federation metadata URL or host name,
type sts2.fabrikam.com, and then click Next.
6. On the next page, type a name for the identity provider (Fabrikam Identity Provider),
and then click Next.
7. Click Next on the screen that appears, and then click Close when the wizard finishes
saving the policy.
When the wizard exits, the Rules Editor opens and we can specify which claims (and the
values for those claims) to accept from the Fabrikam federation server. In the Rules
Editor, we are going to add two new rules. In the first rule, we will only pass through the
email claim if it ends with "@fabrikam". For the second rule, we will only pass through the
Role claim if it has a value of "DrugTrial1Auditors".
To configure the claims acceptance policy for the Fabrikam identity provider
1. In the Rules Editor, click Add Rule.
2. In the Select Rule Template window, click Pass Through or Filter an Incoming Claim
for the Claim rule template, and then click Next.
3. For the Claim rule name, type Email Filter. For the Incoming Claim Type, select E-
Mail Address, and then click Pass through only claims values that match a specific
email suffix value. For Email suffix value, type fabrikam.com, as shown in the
following illustration, and then click Finish.
4. For the second rule, click Add Rule.
5. In the Select Rule Template window, select Pass Through or Filter an Incoming
Claim for the Claim rule template, and then click Next.
6. For the Claim rule name, type Role Filter. For the Incoming Claim Type, select Role,
and then click Pass through only a specific claims value. For Incoming claim value,
type DrugTrial1Auditors, as shown in the following illustration, and then click Finish.
7. Click OK to exit the claims editor.
We now go back and update the relying party policy of Contoso that specifies how to transfer the
incoming claims to the outgoing claims.
To update the claims issuance policy for the SharePoint site on the Contoso federation
server
1. In the AD FS 2.0 Management console, in the console tree, expand Trust
Relationships, and then click Relying Party Trusts.
2. In the details pane, click SharePoint Docs Site on Contoso.
3. On the Action menu, click Edit Claim Rules.
4. In the Rules Editor, we add two new rules. In the first rule, we are just going to pass
through the Role claim. Click Add Rule.
5. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim
for Claim rule template, and then click Next.
6. For the Claim rule name, type Role pass through, select Role for Incoming claim
type, and then click Finish. Click Yes in the dialog box that appears.
We now add the second rule to transform the incoming e-mail claim, from Fabrikam, to a
name claim that the SharePoint site is expecting.
7. Click Add Rule.
8. On the Select Rule Template page, click Transform an Incoming Claim for Claim rule
template, and then click Next.
9. For the Claim rule name, type Email to Name transform, for Incoming claim type,
select E-Mail Address, and for Outgoing claim type, select Name. Keep the default
options selected, and click Finish. Click Yes in the dialog box that appears.
10. Click OK to exit the Rules Editor.
To add the Contoso federation server as a relying party on the Fabrikam federation
server
1. Log on to the FABRIKAMSRV01 computer as FABRIKAM\Administrator with "demo!23"
as the user password.
2. Open the AD FS 2.0 Management console. On the Start menu, click Administrative
Tools, and then click AD FS 2.0 Management.
3. After the snap-in is loaded, in the right pane, click the link Required: Add a trusted
relying party.
4. The Add Relying Party Wizard opens, as shown in the following illustration. Click Start to
begin adding the SharePoint site as a relying party.
5. On the Select Data Source page, keep the default option selected, click Import data
about the relying party published online or on a local network, type
sts1.contoso.com, and then click Next.
6. On the Specify Display Name page, type Contoso STS for a display name, and click
Next.
7. Complete the rest of the wizard with the default options selected. Click Close at the end
to start the Rules Editor.
Note
Accessing a document that is present at the SharePoint site directly from Microsoft
Office Word requires Microsoft Office Service Pack 2 (SP2) and Windows Vista®
SP2. Also, for Group Policy changes to take effect from the changes we made in the
previous step, restart the FABRIKAMCLT01 VM before you continue with this step.
To open a document directly from the SharePoint site using Microsoft Office Word
1.
Note
Accessing a document that is present at a federated SharePoint site directly from
Microsoft Office Word requires Microsoft Office Service Pack 2 (SP2) and
KB969413.
Log on to the FABRIKAMSRV02 computer as user "frankm" with "demo!23" as the user
password.
2. Open Microsoft Office Word.
3. Click the Word Office button, and then click Open.
4. Type the URL of the document that is located on the SharePoint site as follows:
https://docs.contoso.com/Docs/Documents/Contoso%20-
%20Statement%20of%20General%20Terms.docx
5. You should see the same browser experience that you saw when accessing the
SharePoint site using Internet Explorer. After you select your identity provider, you will be
authenticated and the document will be downloaded directly from the federate SharePoint
site.
Table 2(dbo.TS) contains information about which SharePoint site belongs to which drug trial.
Table 3(dbo.RS) maps the roles in the database to the roles in the Contoso SharePoint site.
To begin using these roles, we must first add these roles to the SharePoint site and give them the
correct access permissions.
6. On the new screen, type Role#sp_admin in the text box, and then click OK.
7. Delete the previously added administrator role. Select the Role#DrugTrial1Admins
check box. On the Actions menu, click Remove Users from Group, and then click OK
in the confirmation dialog box.
8. To add the sp_visitor, under Groups, click Home Visitors, click New, and then click Add
Users.
9. On the next screen, type Role#sp_visitor in the text box, and then click OK.
10. Delete the previously added role. Select Role#DrugTrial1Auditors. In the Actions pane,
click Remove Users from Group, and then click OK in the confirmation dialog box.
Now, we update the Contoso federation server to also pull role claim values from the SQL
database on this computer.
To add a local SQL database as an attribute store for the Contoso federation server
1. Log on (if you are not still logged on) to the CONTOSOSRV01 computer as
CONTOSO\Administrator with "demo!23" as the user password.
2. Open the AD FS 2.0 Management console (if it is not still open).
On the Start menu, click All Programs, point to Administrative Tools, and then click
AD FS 2.0 Management.
3. In the console tree, expand Trust Relationships, and then click Attribute Stores.
4. In the Actions pane, click Add Attribute Store.
5. Clicking the link opens the Add an Attribute Store dialog box. Type HOL Doctors Role
as the display name. For Attribute Store Type, select SQL, type the following
connection string, and then click OK to finish. For your convenience, this command is in a
text file on the desktop, called DataBase Connect:
Data Source=CONTOSOSRV01;Initial Catalog=HOL Doctors Role;Integrated Security=True
Now that we have connected to the database, we must update the SharePoint rules in the
Contoso federation server regarding where to get role claim values:
To update policy to pull role claim values from the SQL attribute store
1. In the console tree of the AD FS 2.0 Management console, under AD FS 2.0 and Trust
Relationships, click Relying Party Trusts. In the Replying Party Trusts list, click
SharePoint Docs Site on Contoso, and then in the Actions pane, click Edit Claim
Rules.
2. The Rules Editor opens. To create a new custom rule, click Add Rule.
3. In the new window that appears, click Send Claims Using a Custom Rule, and then
click Next.
4. In the first rule, we see which trial the https://docs.contoso.com/ site belongs to. The
custom rule is presented here. For the Claim rule name, type Trial Lookup and for
Custom rule, type the following, and then click Finish. (For convenience, this role is
saved in a file called Custom Rule1 on the desktop. You can copy and paste it from
there.)
=> add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"), query = "select
trial from dbo.TS where dbo.TS.SharePointSite = {0}", param =
"https://docs.contoso.com/");
5. Add a second custom rule. In this rule, we use the previously queried trial information
with the user’s e-mail address and discover which role the user belongs to. To add
another custom rule, click Add Rule, and then select Send Claims Using a Custom
Rule, and then click Next. For Claim rule name, type User Role and for Custom rule,
type the following presented here. (For convenience, this role is saved in a file called
Custom Rule2 on the desktop. You can copy and paste it from there.)
c1:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"] =>
add(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"),
query = "select role from dbo.URT where dbo.URT.Trial = {1} and
dbo.URT.UserName={0}", param = c1.Value, param = c2.Value);
6. Now we create a third custom rule. In the third rule, we use a previously queried role
claim to query the SharePoint role claim and assign the value to the outgoing role claim.
To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,
and then click Next. For Claim rule name, type SharePoint Role and for Custom rule,
type the following presented here. (For convenience, this role is saved in a file called
Custom Rule3 on the desktop. You can copy and paste it from there.)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"] =>
issue(store = "HOL Doctors Role", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "select
dbo.RS.SharePointGroup from dbo.RS where dbo.RS.Role = {0}", param = c.Value);
7. Click OK to save these new rules and exit the Rules Editor.
Now that the issuance rules are in place to pull claims from the SQL-based attribute store, we can
test the new policy by accessing the SharePoint site. First, we access the site from within
Contoso.
To verify revisions in access policy to the SharePoint site from within Contoso
1. Log on to the CONTOSOSRV01 computer as CONTOSO\administrator with "demo!23"
as the user password.
2. Navigate to https://docs.contoso.com. (Make sure that you opened a new browser
window and that there were no browser windows already open.)
3. When you are redirected to the STS login page, you will see sts1.contoso.com in the
drop-down menu. Click Continue to Sign In.
4. On the Username and password logon page, type the following information, and then
click Sign In. If you are prompted to save credentials, click No.
Username: contoso\danielw
Password: demo!23
5. When you are logged in to the site, you see that Daniel has full access to the SharePoint
site because he belongs to the Admin group in the SQL database. The Admin group
maps to the sp_admin group on the SharePoint site with full site access.
Now that you have verified that Daniel from the Contoso domain has write access, try logging in
to the SharePoint site from a computer in the Fabrikam domain with Frank’s account.
To verify revisions in access policy to the SharePoint site from within Fabrikam
1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\frankm with "demo!23" as the
user password.
2. When you are logged in, open Internet Explorer, and navigate to
https://docs.contoso.com.
Because of the Auto Card policy changes that we implemented earlier, your Fabrikam
Information Card will be automatically selected and used to sign you in to the Contoso
SharePoint site. You will be logged into the site with read-only access. This is because
the user FrankM belongs to the Auditors group, that group maps to the sp_visitor group
on the SharePoint site, and that group has read-only access to the site.
3. On the next page, click Active Directory Federation Services, and then click Next.
4. On the next page that appears, click Next.
5. On the next page that appears, click AD FS Web Agent. Select only the Claims-aware
Agent check box, and then click Next.
6. On the next page, click Install, and then click Close after the installation is complete.
Now that we added all the roles and services, we have to turn AD RMS on for federation.
5. In the console tree, expand the server name (contososrv01), expand Trust Policies,
right-click Federated Identity Support, and then click Enable Federated Identity
Support.
Because AD RMS is running under a service account (adrmssrvc), we must ensure that this
account has privileges to write to security audit logs.
5. On the Specify Display Name page, in Display name, type AD RMS Certification
Service, and then click Next.
6. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click
Next.
7. On the Configure URL page, for WS-Federation Passive URL, type
https://adrms.contoso.com/_wmcs/certificationexternal/, and then click Next.
8. On the Configure Identifiers page, click Next.
9. On Choose Issuance Authorization Rules page, keep the default option, Permit all
users to access this relying party, selected and click Next.
10. On the next page, click Next.
11. On the Finish page, click Close.
This opens the Rules Editor. The AD RMS Licensing Service is expecting the e-mail
address of the user.
Now, we create two rules. In the first rule, we take the e-mail address for the user from the
Lightweight Directory Access Protocol (LDAP) attribute store and send it as an AD FS e-mail
address claim. In the second rule, we take the incoming e-mail claim from Fabrikam and convert
that also into an AD FS e-mail claim.
To update policy to process e-mail claims for the AD RMS Licensing Service
1. In the Rules Editor, click Add Rule. In the new window that appears, select Send LDAP
Attributes as Claims, and then click Next.
2. For the Claim rule name, type Email as AD FS 1.x Email. For Attribute store, select
Active Directory. In LDAP attribute, select E-Mail-Addresses; and in Outgoing Claim
Type, select AD FS 1.x E-Mail Address. Click Finish.
3. For the second rule, click Add Rule. In the new window that appears, select Transform
an Incoming Claim, and then click Next.
4. For the Claim rule name, type Transform incoming Email to AD FS 1.x Email. For
Incoming claim type, select E-Mail Address; and in Outgoing claim type, select
AD FS 1.x E-Mail Address and then click Finish. Click Yes in the dialog box that
appears.
5. For the third rule, click Add Rule. In the new window that appears, select Transform an
Incoming Claim, and then click Next.
6. For the Claim rule name, type Transform AD FS 1.x Email to Name Identifier. For
Incoming claim type, select AD FS 1.x E-Mail Address; and in Outgoing claim type,
select Name ID, and in Outgoing name ID format, select Email, and then click Finish.
Click Yes in the dialog box that appears.
7. Click OK to exit the Rules Editor.
To add the AD RMS Licensing Service, repeat the same steps that you completed to add the
certification service, except give it a friendly name of AD RMS Licensing Service and enter the
URL as https://adrms.contoso.com/_wmcs/licensingexternal/.
6. On the Specify Display Name page, in Display name, type AD RMS Licensing
Service, and then click Next.
7. On the Choose Profile page, click AD FS Profile 1.0 and 1.1 profile, and then click
Next.
8. On the Configure URL page, in WS-Federation Passive URL, type
https://adrms.contoso.com/_wmcs/licensingexternal/, and then click Next.
9. On the Configure Identifiers page, click Next.
10. On Choose Issuance Authorization Rules page, keep the default option Permit all
users to access this relying party selected, and then click Next.
11. Click Next, and then click Close.
Clicking Close starts the Rules Editor.
Before we try out the scenario, we must do one more thing. We must make changes to the
SharePoint site so that any document leaving a document library should be automatically rights
protected for the user who is downloading it. Also, we must make sure that the SharePoint server
is aware of where the AD RMS server is located.
First, to configure the SharePoint server where the AD RMS server is located, we log in to the
SharePoint central administration Web site.
Now that we have configured AD RMS to work with the SharePoint server on CONTOSOSRV02,
we will configure one of the document libraries on the SharePoint site at https://docs.contoso.com
to be rights-protected. The level of protection will be configured in such a way that any document
that is downloaded from the protected document library will be restricted based on the e-mail
address of the user who is downloading it.
To disable the token encryption between Fabrikam and Contoso AD FS 2.0 servers
1. Log on to FabrikamSrv01 server with administrator credentials.
2. Open the AD FS 2.0 Management console: click Start, click Administrative Tools, and
then click AD FS 2.0 Management.
3. In the left-hand column, under AD FS 2.0, double-click Trust Relationships, and then
click Relying Party Trusts.
4. In Relying Party Trusts, right-click Contoso STS, and then click Properties.
5. In the Properties dialog box, on the Monitoring tab, clear Monitor this relying party’s
federation metadata for changes, and then click Apply.
6. On the Encryption tab, click Remove. In the dialog box that appears, click Yes, and then
press OK.
We now need to make some changes to keys in the Windows registry on the Fabrikam client
computer (FABRIKAMSRV02) so that the AD RMS client knows how to find the identity provider
that it will use to authenticate with the AD RMS server at Contoso Pharmaceuticals
(CONTOSOSRV01) based on the e-mail address of the user that is download the document.
To configure the Fabrikam client computer to be able to find and use the Contoso
AD RMS server
1. Log on to the FABRIKAMSRV02 computer as FABRIKAM\Administrator with "demo!23"
for the password.
2. Open the Registry Editor. Click Start, click Run, type regedit, and then click OK.
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft key,
and then select it.
Note
For a 32-bit operating system, you can skip the Wow6432node part of the
registry key path.
3. On the Edit menu, point to New, and then click Key to create a new registry key. Name
the new key MSDRM.
4. Under the MSDRM key, create a new key.
With MSDRM selected, on the Edit menu, point to New, and then click Key to create a
new registry key. Name the new key federation.
5. Under the federation key, create a new value of String (REG_SZ) type. For the Name,
use FederationHomeRealm, and for Value use
http://sts2.fabrikam.com/adfs/services/trust. The result should look like the following
screen shot.
To have a Fabrikam user test AD RMS protection for protected document library on the
Contoso SharePoint site
1. Log off the FABRIKAMSRV02 computer as FABRIKAM\Administrator.
2. Log back on as FABRIKAM\frankm with "demo!23" as the password.
3. Open a new Internet Explorer window, browse to http://docs.contoso.com, and sign in to
the site.
4. After you are signed in at the SharePoint site, navigate to the Documents library that we
protected in the previous procedure.
5. In the Documents library page, click the link to the Contoso – Statement of General
Terms document.
6. Observe the document as it opens in Microsoft Office Word. In Word, click View
Permissions to show that the document is rights protected and cannot be edited, copied,
printed, saved, accessed programmatically, or otherwise fully controlled by the user
(FrankM). This is because in the SharePoint library settings we did not give anyone
permissions to perform these actions on the document when we modified the security
settings previously in this step.
5. For site settings, enter the corresponding values for the following fields and leave rest of
the settings as default:
Title Confidential
Now we will integrate the sample claims authorization library located in “C:\StepUpAuthentication”
with SharePoint.
Note
If you are using the VMs that were pre-created a sample dll has been created and placed
in the folder.
1. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then click
OK.
2. At the command prompt, type cd “c:\Program Files\Microsoft.NET\SDK\v2.0 64bit\bin”,
and press ENTER.
3. Type gacutil.exe /i c:\ StepUpAuthentication\ClaimsAuthorization.dll /f. This adds the
assembly into the GAC.
4. Now we need to edit the web.config of docs.contoso.com SharePoint site. Type cd
c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443 and press ENTER.
5. Type notepad.exe web.config.
6. Locate the element <assemblies> (it is located under
<configuration>/<system.web>/<compilation>). Add the following line:
<add assembly="ClaimsAuthorization, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=400a0b56d39a55eb"/>
<add name="StepUpAuthenticationModule"
type="ClaimsAuthorization.StepUpAuthenticationModule, ClaimsAuthorization,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=400a0b56d39a55eb"/>
Now, we will author the policy that would only grant access to Confidential site to users who
have authenticated with the X.509 certificate.
8. In Notepad, locate the element <service> under
<configuration>/<microsoft.identityModel>. Add the following lines immediately after the
line with the tag <service>.
<claimsAuthorizationManager
type="ClaimsAuthorization.CustomClaimsAuthorizationManager">
<strongAuthenticationTypes>
<authenticationType
type="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"/>
<authenticationType
type="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsc
lient"/>
</strongAuthenticationTypes>
<authorization>
</policy>
<allow claimType="*"/>
</policy>
</authorization>
</claimsAuthorizationManager>
9. Save the changes to web.config. In the menu of Notepad, click File, then click Save. Close
Notepad.
12. Add a second custom rule. In this rule, we use the previously queried trial information
with the user’s e-mail address and discover which role the user belongs to. To add
another custom rule, click Add Rule, select Send Claims Using a Custom Rule, and
then click Next. For Claim rule name, type User Role, and for Custom rule, type the
following, and then click Finish. (For convenience, this role is saved in a file called
Custom Rule2 on the desktop. You can copy and paste it from there.)
c1:[Type ==
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
&& c2:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/trial"]
13. Now we create a third custom rule. In the third rule, we use a previously queried role
claim to query the SharePoint role claim and assign the value to the outgoing role claim.
To add another custom rule, click Add Rule, select Send Claims Using a Custom Rule,
and then click Next. For Claim rule name, type SharePoint Role, and for Custom rule,
type the following, and then click Finish. (For convenience, this role is saved in a file
called Custom Rule3 on the desktop. You can copy and paste it from there.)
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/incomingtrialrole"]
14. Now that we have gathered all the role information, we will place three new rules. In each
rule, we will check to see if the role value is one of domain_admins, sp_visitor or
sp_admin. For the first rule, click Add Rule. In the wizard page that appears, keep the
default option, Permit or Deny Users Based on an Incoming Claim, and then click
Next. On the next page, for Claim rule name, type Permit Domain Admins, for
Incoming claim type, select Role in the drop-down menu, and for Incoming claim
value, type Domain Admins, and then click Finish.
15. For the other two rules, repeat the instructions in step 14 with Claim rule name as
Permit sp_visitor and Permit sp_admin and an Incoming claim value of sp_visitor
and sp_admin.
To try out this scenario, log on to ContosoSrv01 and navigate to https://docs.contoso.com. Sign in
as either contoso\administrator or contoso\danielw at the Contoso sign-in page. You will have
access to the SharePoint site. This is because contoso\administrator belongs to Domain Admins
group in AD DS and danielw maps to sp_admin group, based on the information in the SQL
database.
Try accessing the https://docs.contoso.com from the FabrikamSrv01 computer as
fabrikam\frankm. You will see that Frankm has access to the SharePoint site because frankm’s e-
mail address maps to the sp_visitor role in the SQL database. Now try accessing the
https://docs.contoso.com site as fabrikam\alices. You will see access denied for Alice at the
Contoso AD FS Web site because Alice’s account does not map to any role values for which we
just added rules.
Congratulations! This concludes our walkthrough of federated document collaboration using
Microsoft Office SharePoint Server 2007 with AD FS 2.0.