1 / 43

Tejas Patel Program Manager Microsoft Corporation

Required Slide. SESSION CODE: SIA313. Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties. Tejas Patel Program Manager Microsoft Corporation. Session Objectives .

anka
Download Presentation

Tejas Patel Program Manager Microsoft Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA313 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties Tejas Patel Program Manager Microsoft Corporation

  2. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS within an Enterprise environment • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  3. Secure Collaboration Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Enterprise-wide visibility • Easier partner management • Secure, seamless access • Protect sensitive information in documents • Best-in-class anti-malware • Deep Microsoft SharePoint and Office integration • Standards-based interoperability across organizations and cloud

  4. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS within an Enterprise environment • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  5. Encryption AD Rights Management Services Persistent Protection + • Provides identity-based protection for sensitive data • Controls access to information across the information lifecycle • Allows only authorized access based on trusted identity • Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted • Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery • Access Permissions • Use Right Permissions Policy:

  6. Active Directory Rights Management Services • AD RMS is a server role in Windows Server 2008 and 2008 R2 • The AD RMS client supports Windows XP- Windows 7 • Microsoft IRM enabled applications include: • Office 2003- 2010 • Exchange Server 2007 & 2010 • SharePoint 2007 & 2010 • Sharing protected content is disabled by default • ADRMS requires additional configuration to share content outside of the protection domain • Provides control to the IT administrator to determine sharing relationships

  7. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS concepts and deployment within the Enterprise • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  8. 1 7 6 2 3 4 5 CLC RAC CLC RAC PL UL Basic AD RMS Deployment The Internet Corporate Network RMS Cluster

  9. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS within an Enterprise environment • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  10. Sharing Sensitive Content – The Default Today

  11. Enable sharing of IRM Protected Content • Allow users to securely collaborate • Enable users to share sensitive information in a seamless manner. • Sharing securely should not interfere with collaboration. • Enterprises can retain control of their data • Enterprises can create policies determining who has access to content • Enterprises can manage partnerships between organizations • AD RMS supports several mechanisms to enable sharing of IRM protected Content • Trusted User Domains • Integration with Active Directory Federation Services • Integration with the Microsoft Federation Gateway

  12. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS within an Enterprise environment • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  13. AD RMS Trusted User Domains • AD RMS Trusted User Domains (TUD) • An AD RMS domain refers to the scope of an AD RMS certification cluster: the Active Directory forest • Not to be confused with an Active Directory domain • Allow Trust to be established between AD RMS domains. This is completely independent from AD forest or domain trust • Scenario: • Enables sharing of AD RMS protected content within enterprises that have with multiple forests where users accounts are located. • AD RMS Trusted User Domains are recommended for sharing content within the Enterprise

  14. AD RMS Trusted User Domains • Two entities (forests within a company) have their own AD RMS installation • By default, AD RMS will not license content to users from other AD RMS installations • TUD enables users from one AD RMS domain to acquire a license from a server in another domain • An AD RMS licensing server will issue a use license to a RAC issued by another trusted AD RMS cluster. • RAC validation can occur after importing a trusted Server Licensor Certificate • Authentication to the licensing service must be addressed

  15. AD RMS Trusted User Domains AD RMS Forest B AD RMS Forest A Monica in Forest B sends PL and RAC with request for UL from Forest B John in Forest A sends RM content to Monica in Forest B

  16. How AD RMS Trusted User Domains Work AD RMS Forest A AD RMS Forest B 1) Export TUD from Forest 2 2) Import TUD from Forest 2 5) Server uses imported SLC to verify Monica’s RAC and returns UL 4) Monica in Forest B sends PL and RAC with request for UL 3) John in Forest A sends RM content to Monica in Forest B

  17. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS within an Enterprise environment • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  18. AD RMS Integration with Active Directory Federation Services (ADFS) • AD RMS native scope is the AD forest • Can be extended to other forests via directory federation • ADFS is a standards-based directory federation system • Natively supported by AD RMS • Scenarios: • Extending AD RMS usage to External Parties • No AD RMS is required in the external party • AD and AD FS required • AD RMS/ADFS is recommended for sharing IRM content outside of the Enterprise when using Office clients(Outlook, Excel, Word etc…) and SharePoint

  19. New AD RMS Features in Windows Server 2008 R2 • Group Expansion • Allows organizations to collaborate with groups of people instead of identifying external users individually • Groups are defined in the publishing organization’s directory • ADRMS will access the local Active Directory to look up the group membership • 3rd Party Federation Support • Enables AD RMS to work with non-ADFS Security Token Services • Uses Forms Based Authentication

  20. AD AD FS-A CLC RAC CLC RAC 10 8 7 6 5 3 12 2 9 11 1 4 PL UL AD RMS Integration with AD FSScenario Assume author is already bootstrapped Author sends protected mail to recipient at Fabrikam Recipient contacts RMS server to get bootstrapped WebSSO agent intercepts request RMS client is redirected to FS-R for home realm discovery RMS client is redirected to FS-A for authentication RMS client is redirected back to FS-R for authentication RMS client makes request to RMS server for bootstrapping WebSSO agent intercepts request, checks authentication, and sends request to RMS server RMS server returns bootstrapping certificates to recipient RMS server returns use license to recipient Recipient accesses protected content Contoso Fabrikam FS-R WebSSO RMS

  21. AD RMS Integration with Active Directory Federation Services DEMO

  22. AD RMS Integration with AD FS Tips for enabling AD FS integration with AD RMS • Both organizations must have ADFS installed and deployed • Grant Security Audit Privileges to the AD RMS Service Account • Add an Extranet URL • Ensure SSL has been enabled for the AD RMS cluster • Install the ADFS Sub-role for AD RMS • Provide the uri to the ADFS server during this step • Enable the feature via the ADRMS MMC Console\ • Remember Home Realm discovery registry key must be deployed to clients.

  23. Session Objectives • Overview of Active Directory Rights Management Services (AD RMS) • AD RMS within an Enterprise environment • Enable secure collaboration using AD RMS • AD RMS Trusted User Domains • AD RMS Integration with Active Directory Federation Services • ADRMS Integration with the Microsoft Federation Gateway • Questions

  24. AD RMS Integration with the Microsoft Federation Gateway • Microsoft Federation Gateway (MFG) • Identity service that runs in the cloud (over the Internet and beyond your corporate network domain) • Allow users from one federated organization to be trusted by another federated organization. • Scenarios: • Extends AD RMS usage to External Parties for Exchange 2010 Sp1 IRM features • No AD RMS is required in the external party • Enables IRM in OWA, Transport Decryption, Journal Decryption for B2B Scenarios • Requires AD RMS Windows Server 2008 R2 Sp1

  25. AD RMS Integration with MFG Fabrikam may also have their own RMS deployment MFG Contoso Fabrikam Marcus Exchange 2010 Jane

  26. AD RMS Integration with MFG Contoso enrolls their RMS cluster with MFG 1 MFG Contoso Fabrikam Marcus Exchange 2010 Jane

  27. AD RMS Integration with MFG Fabrikam federates their Exchange 2010 server with MFG 2 MFG Contoso Fabrikam Marcus Exchange 2010 Jane

  28. AD RMS Integration with MFG Jane sends message to Marcus. Message gets automatically protected 3 Jane could have protected the message at OWA/OLK MFG Contoso Fabrikam Marcus Exchange 2010 Jane

  29. AD RMS Integration with MFG Fabrikam makes a SAML token request to MFG for their federated identity 5 MFG Contoso Fabrikam T Marcus Exchange 2010 Jane

  30. AD RMS Integration with MFG Fabrikam makes a Certify call to Contoso 6 Fabrikam will cache the RAC to use in future requests MFG Contoso Fabrikam RAC Marcus Exchange 2010 Jane

  31. AD RMS Integration with MFG Fabrikam makes a SAML token request to MFG for their federated identity 8 All proxy addresses of the federated Identity are included in the Token MFG Contoso Fabrikam T Marcus Exchange 2010 Jane

  32. AD RMS Integration with MFG The Use License call is batched and a single MFG token is presented for all recipients Fabrikam makes a Use License call to Contoso, presenting the RAC and MFG token 9 MFG Contoso Fabrikam UL Marcus Exchange 2010 Jane

  33. AD RMS Integration with MFG The Use License will be used to decrypt the message for OWA, Transport Decryption, Journal Report Decryption Marcus views the RMS message in OWA, and can reply to Jane MFG Contoso Fabrikam Marcus Exchange 2010 Jane

  34. AD RMS Integration with the Microsoft Federation Gateway DEMO

  35. AD RMS Integration with MFG • Tips for enabling MFG integration within RMS • Install Windows Server 2008 R2 Sp1 on all AD RMS front end machines • Remember to back-up the database prior to upgrade • Add MFG support via the AD RMS MMC console • Creates new IIS virtual directories and updates configuration of AD RMS • Register the AD RMS cluster with the MFG • Requires RMS to be deployed with SSL • SSL Certificate use to authenticate with the MFG • Enable the Feature

  36. Questions?

  37. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content Breakout & Interactive Sessions SIA323 |Business Ready Security: Securely Collaborate with Partners and Employees Using SharePoint, Microsoft Forefront, and Windows Server 2008 R2 Active Directory SIA312 |Secure Collaboration: Install and Configure Remote Access for Microsoft SharePoint Server in an Hour SIA313 | Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties SIA315|Secure Collaboration: Microsoft Forefront Protection 2010 for SharePoint Deep Dive SIA309-INT | Secure Collaboration: Protecting Your Microsoft SharePoint Server Using Microsoft Forefront Business Ready Security • Hands-On Lab • SIA08-HOL | Secure Collaboration Solution: Business Ready Security with Microsoft Forefront and Active Directory • Product Demo Station • Red SIA-4 | Microsoft Forefront Secure Collaboration Solution

  38. Track Resources Learn more about our solutions: • http://www.microsoft.com/forefront Try our products: • http://www.microsoft.com/forefront/trial

  39. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  40. Required Slide Complete an evaluation on CommNet and enter to win!

  41. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  42. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  43. Required Slide

More Related