powerpoint presentationdownload.microsoft.com/documents/hk/technet... · slc to fabrikam 2)...
TRANSCRIPT
AD RMS Key Concepts
Deploying AD RMS in complex Scenarios
Multiple forests
Logically isolated environments
Physically isolated environments
Centralized licensing
Integrating Partners
Extranet
AD RMS Server Active Directory SQL
Protection Consumption
AD RMS Server Active Directory SQL
Protection Consumption
AD RMS Server Active Directory SQL
CLC
Protection Consumption
AD RMS Server Active Directory SQL
1 Protection Consumption
CLC
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption 3
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
4
3
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
4
5 3
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
4
5 6
3
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
4
5 6
7
3
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
4
5 6
7
8
3
AD RMS Server Active Directory SQL
1
2 CLC
Protection Consumption
4
5 6
7
8
9
3
AD RMS Server Terminology Certification server (or cluster)
First AD RMS server (cluster) in the enterprise
Provides certification and licensing capabilities
Licensing server (optional)
Provides licensing services only
Relies on a certification server for certification of users
Cluster
Group of equivalent AD RMS servers sharing the same database
Not to be confused with Windows Server Clustering Services
AD RMS Server
Mobile devices
(Windows Mobile 6.0)
RMS Client
RM-enabled application
AD RMS Infrastructure Components
AD RMS Server
Active Directory
Mobile devices
(Windows Mobile 6.0)
RMS Client
RM-enabled application
AD RMS Infrastructure Components
AD RMS Server
Active Directory
Mobile devices
(Windows Mobile 6.0)
RMS Client
RM-enabled application
AD RMS Infrastructure Components
SQL
AD RMS Server
Active Directory
Mobile devices
(Windows Mobile 6.0)
RMS Client
RM-enabled application
AD RMS Infrastructure Components
SQL
MOSS 2007
AD RMS Server
Active Directory
SQL
MOSS 2007
Exchange Server 2007 SP1
Mobile devices
(Windows Mobile 6.0)
RMS Client
RM-enabled application
AD RMS Infrastructure Components
AD RMS Topology
AD RMS
Root Server Database
AD RMS Topology
Database
AD RMS
Certification
Cluster
AD RMS Topology
Database
AD RMS
Certification
Cluster
Database
License-only Server
AD RMS Topology
Database
AD RMS
Certification
Cluster
Database
License-only Server
Database
License-only Server Cluster
AD RMS Server
AD RMS Server
Runs on Windows Server 2008 inside IIS
It’s a web service!
Typically runs over SSL
Requires IIS with ASP.NET
Stateless
Uses (before Windows 8) Microsoft Message Queuing
Responsible for transactions to be applied to SQL database
Provides tolerance when connectivity is lost between ADRMS server and SQL Server
AD RMS Databases
AD RMS web services are stateless
All persistent information is stored in SQL Server
Three separate databases
Configuration: hosts configuration data, cluster and user keys
Caching: caches AD identities and group membership
Logging: stores logs of licensing operations
Most operations are performed asynchronously
Data is written to MSMQ, flushed to the DB when possible
If DB not available, AD RMS continues to work “almost” normally
Active Directory
Provides authentication
All accounts related to AD RMS must have an email account
Provides Service Connection Point (SCP) for service location
Determines recipient group membership
Active Directory should be in native mode for group propagation
One AD RMS root cluster per forest
AD RMS certification is limited to users in the AD forest
Active Directory
What’s in a Certificate
AD RMS uses certificates for identity and licenses
AD RMS does not use X.509 certificates!
It uses XrML certs instead
Similar to X.509 but with room for policy
Identity certificate: “this is User X and her email is…”
There are also machine and server certificates
What’s in a license An IRM protected document has an embedded
“Publishing License”
List of rights (like an ACL)
Subjects of rights are email addresses Groups or users
Rights are operations View
Edit
Copy
Forward
…
AD RMS Certificates and Licenses
AD RMS Certificates and Licenses
AD RMS Certificates and Licenses
AD RMS Certificates and Licenses
AD RMS Certificates and Licenses
AD RMS Certificates and Licenses SLC:
Server
Licensor
Certificate
Identifies
an AD RMS
cluster.
AD RMS Certificates and Licenses
SPC:
Security
Processor
Certificate:
Identifies a
client
machine
AD RMS Certificates and Licenses
RAC:
Rights
Account
Certificate
Identifies
an AD RMS
user
AD RMS Certificates and Licenses
CLC:
Client Licensor
Certificate
Identifies an author
in AD RMS
AD RMS Certificates and Licenses
PL:
Publishing
License
Identifies a
protected
document
and its policy
AD RMS Certificates and Licenses
PL:
Publishing
License
Identifies a
protected
document
and its policy
AD RMS Certificates and Licenses
UL:
Use
License
Grants
rights over
a
document
AD RMS Certificates and Licenses
UL:
Use
License
Grants
rights over
a
document
Fabrikam
Fabrikam Adventure
Fabrikam Adventure
Fabrikam Adventure
sends RM content to
[email protected] sends
PL and RAC with request for
UL from Fabrikam
Fabrikam Adventure
sends RM content to
[email protected] sends
PL and RAC with request for
UL from Fabrikam
(FAIL)
Fabrikam
Fabrikam Adventure
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
sends RM content to
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
sends RM content to
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
sends RM content to
4) [email protected] sends
PL and RAC with request for
UL from Fabrikam
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
sends RM content to
4) [email protected] sends
PL and RAC with request for
UL from Fabrikam
5) Server uses imported SLC
to verify Monica’s RAC
and returns UL
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
sends RM content to
4) [email protected] sends
PL and RAC with request for
UL from Fabrikam
5) Server uses imported SLC
to verify Monica’s RAC
and returns UL
Fabrikam Adventure
1) Adventure sends
SLC to Fabrikam 2) Fabrikam
imports SLC
sends RM content to
4) [email protected] sends
PL and RAC with request for
UL from Fabrikam
5) Server uses imported SLC
to verify Monica’s RAC
and returns UL
Fabrikam
Fabrikam Adventure
Fabrikam Adventure
Fabrikam Adventure
sends ADRMS content to
[email protected] sends
PL and RAC with request for
UL from local licensing server
Fabrikam Adventure
sends ADRMS content to
[email protected] sends
PL and RAC with request for
UL from local licensing server
Fabrikam Adventure
sends ADRMS content to
[email protected] sends
PL and RAC with request for
UL from local licensing server
(FAIL)
Fabrikam
Fabrikam Adventure
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
4) [email protected] sends
PL and RAC with request for
UL from local licensing server
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
4) [email protected] sends
PL and RAC with request for
UL from local licensing server
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
4) [email protected] sends
PL and RAC with request for
UL from local licensing server
5) Adventure uses imported
private key to decrypt PL
and issues UL
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
4) [email protected] sends
PL and RAC with request for
UL from local licensing server
5) Adventure uses imported
private key to decrypt PL
and issues UL
Fabrikam Adventure 1) Fabrikam
exports
private key
and SLC
2) Adventure
imports private
key and SLC
sends ADRMS content to
4) [email protected] sends
PL and RAC with request for
UL from local licensing server
5) Adventure uses imported
private key to decrypt PL
and issues UL
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
PL
2
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
PL
2
3
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
PL
2
3
4
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
PL
2
3
4
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
PL
2
3
4
5
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
PL
2
3
4
5
6
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
7. AD RMS client is redirected back to FS-R for authentication
PL
2
3
4
5
6
7
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
7. AD RMS client is redirected back to FS-R for authentication
8. AD RMS client makes request to AD RMS server for bootstrapping
PL
2
3
4
5
6
7
8
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
7. AD RMS client is redirected back to FS-R for authentication
8. AD RMS client makes request to AD RMS server for bootstrapping
9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server
PL
2
3
4
5
6
7
8
9
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
7. AD RMS client is redirected back to FS-R for authentication
8. AD RMS client makes request to AD RMS server for bootstrapping
9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server
10. AD RMS server returns bootstrapping certificates to recipient
PL
2
3
4
5
6
7
8
9
RAC CLC
10
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
7. AD RMS client is redirected back to FS-R for authentication
8. AD RMS client makes request to AD RMS server for bootstrapping
9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server
10. AD RMS server returns bootstrapping certificates to recipient
11. AD RMS server returns use license to recipient
PL
2
3
4
5
6
7
8
9
RAC CLC
10
UL 11
Fabrikam Adventure
AD RMS
FS-A FS-R
ISA
1. Assume author is already bootstrapped
2. Author sends protected email to recipient at Adventure
3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped
4. WebSSO agent intercepts request
5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server
6. AD RMS client is redirected to FS-A for authentication
7. AD RMS client is redirected back to FS-R for authentication
8. AD RMS client makes request to AD RMS server for bootstrapping
9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server
10. AD RMS server returns bootstrapping certificates to recipient
11. AD RMS server returns use license to recipient
12. Recipient accesses protected content
PL
2
3
4
5
6
7
8
9
RAC CLC
10
UL 11
12
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Hi, I’m John. Can I get a
license for this
document?
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Content is protected for
who’s that?
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
I have a contact for
and it points to domain
contosobranch.com (duh!)
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Hey, what’s your RMS
SCP?
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
It’s adrms.contosobranch.com
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Hey,
adrms.contosobranch.com/.../
groupexpansion.asmx, is John a
member of the marketing group?
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Give me
Marketing
group’s
members
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
It’s John,
Peter and
Susan
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
He is, indeed.
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Here’s your license!
Cross-Forest Group Expansion
Another forest (contosocorp.com)User’s Domain (contosobranch.com)
DC DC
Outlook or other
client
AD RMSAD RMS
SCP:
ADRMS.contosobranch.com
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Users in
isolated
sub-org.
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Users in
isolated
sub-org.
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Users in
isolated
sub-org.
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Users in
isolated
sub-org.
Licensing-Only Cluster
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Users in
isolated
sub-org.
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
TUD
Certification
Licensing
Licensing-only Cluster
Users in
isolated
sub-org.
TPD
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
Users in
isolated
sub-org.
TUD
Certification
Licensing
External
Organization or
Isolated forest
(with TUD)
Licensing-Only Cluster
External
Organization
(with AD FS)
AD FS trust
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
Users in
isolated
sub-org.
TUD
Certification
Licensing
External
Organization or
Isolated forest
(with TUD)
Licensing-Only Cluster
External
Organization
(with AD FS)
AD FS trust
Certification ClusterSQL Server (Cluster)
Multi Region
ForestCore forest
Other
forests
Users in
isolated
sub-org.
TUD
Certification
Licensing
External
Organization or
Isolated forest
(with TUD)
Licensing-Only Cluster
External
Organization
(with AD FS)
AD FS trust
Mobile
internal user
Home user
Customer
Internet
Inside
Firewall
Internal users
Outside FirewallHTTP 80/tcp
HTTPS 443/tcp
HTTP 80/tcp
Kerberos 88/tcp, 88/udp
NTP 123/tcp
DCE RPC 135/tcp
NetBIOS 137 – 139 tcp and udp
LDAP 389/tcp
HTTPS 443/tcp
SMB 445/tcp
LDAP GC 3268/tcp
Dynamic DCE RPC ports
Domain Controller and
Global Catalog
AD RMS
ServerSQL Server
Mobile
Internal User
Home user
Customer
Internet
Internal
Firewall
Internal users
External FirewallHTTP 80/tcp
HTTPS 443/tcp
HTTP 80/tcp
Kerberos 88/tcp, 88/udp
NTP 123/tcp
DCE RPC 135/tcp
NetBIOS 137 – 139 tcp and udp
LDAP 389/tcp
HTTPS 443/tcp
SMB 445/tcp
LDAP GC 3268/tcp
Dynamic DCE RPC ports
Domain Controller and
Global Catalog
AD RMS
Licensing
Server
SQL Server
AD RMS
Certification
Server
SQL Server
Mobile
internal user
Home user
Customer
Internet
Internal users
FirewallHTTP 80/tcp
HTTPS 443/tcp
AD RMS
Server
SQL Server
Domain Controller and
Global Catalog