Using Active Directory Federation Services with AD RMS

Applies To: Windows Server 2008, Windows Server 2008 R2

Increasingly, organizations need to collaborate outside their enterprise boundaries and are looking at federation as a solution.

In Windows Server 2008, Active Directory Rights Management Services rights can be assigned to users in forests that have a federated trust in place via Active Directory Federation Services . This enables organizations to share rights-protected content without establishing another trust or building a separate Active Directory Rights Management Services infrastructure.

Active Directory Federation Services (AD FS ) is a standards-based service that enables federation of identity by implementing claims-based authentication across forests. Claims-based authentication is the process of authenticating a user, based on a set of claims contained in a trusted token. The token is typically issued and signed by a trusted entity.

With AD FS, identity federation is established between two organizations by establishing trust between two security realms . An AD FS server on one side of the trust (ADFS-ACCOUNT) authenticates the user through Active Directory Domain Services and issues a token containing a series of claims about the user, including her identity. On the other side, an AD FS server (ADFS-RESOURCE) validates the token and issues a separate token that the local servers accept, enabling the user to access a requested resource. This process enables an organization to provide controlled access, to its resources or services, to a user that belongs to another security realm. Users do not have to directly authenticate to the federated environment and the organizations do not have to share user identities or passwords.

In order to benefit from identity federation, a service must accept federated identities, and AD RMS is one such service. In particular, AD RMS is designed to accept requests for licenses, from remote users through a single sign-on agent or Web single sign-on, and redirect the requests to the local federation server (ADFS-RESOURCE). This server requires the user to authenticate to ADFS-ACCOUNT, which authenticates the user via Active Directory and issues the corresponding security token. This token is presented to the single sign-on agent, which validates the token and provides the identity to the AD RMS server. Finally, the AD RMS server issues the requested licenses.

The process is illustrated in the following diagram.

AD FS provides a very efficient way to deliver access to protected content to users in remote, independent organizations, including organizations that have not deployed AD RMS. It also uses infrastructure that can be used for other federation purposes, such as providing access to extranet sites and to SharePoint Server based sites.

At the same time, AD FS integration for AD RMS has some limitations when compared to other alternatives, such as trusted user domains and trusted publisher domains. One potentially significant limitation is that AD RMS with AD FS, in its current implementation, does not provide group expansion capabilities for remote groups. This implies that a remote user belonging to a group that has been assigned rights to a document cannot exercise those rights unless she has also individually been assigned the same rights.

A second limitation is that AD FS integration is dependent on the capabilities of the client device accessing a protected document. Today, Windows Mobile clients are not able to authenticate through AD FS, so such clients can consume AD RMS protected documents only if their users are in the same forest as the AD RMS server that issued the publishing license or the organization uses trusted user domains or trusted publishing domains. In addition, the Rights Management Add-on document viewer for Internet Explorer, typically used when the recipient does not have an IRM capable application, does not support AD FS authentication.

Finally, using AD FS with AD RMS imposes some requirements on the infrastructure, such as access to the AD RMS servers from the Internet and specific configurations in the client. These include specifying the remote federation servers URLs in the trusted zone and the local federation servers in the Intranet zone, in the Internet Explorer security settings.

Despite these limitations, AD FS provides important benefits, especially in environments where partner organizations cannot implement their own AD RMS servers, because it provides a solution that requires minimal trust between organizations.