Transcription

1

2

3

4

5

6

7 AD RMS Key Concepts Deploying AD RMS in complex Scenarios Multiple forests Logically isolated environments Physically isolated environments Centralized licensing Integrating Partners Extranet

8

9 Active Directory AD RMS Server SQL Protection Consumption

10 Active Directory AD RMS Server SQL Protection Consumption

11 Active Directory CLC AD RMS Server SQL Protection Consumption

12 Active Directory CLC AD RMS Server SQL Protection 1 Consumption

13 Active Directory AD RMS Server SQL Protection 1 Consumption CLC 2

14 Active Directory AD RMS Server SQL Protection 1 3 Consumption CLC 2

15 Active Directory AD RMS Server SQL Protection 1 3 Consumption CLC 2 4

16 Active Directory AD RMS Server SQL Protection CLC Consumption 5

17 Active Directory AD RMS Server SQL Protection CLC Consumption 5

18 7 Active Directory AD RMS Server SQL Protection CLC Consumption 5

19 7 Active Directory Protection CLC AD RMS Server SQL Consumption 5

20 7 Active Directory Protection CLC AD RMS Server SQL Consumption 5 9

21 AD RMS Server Terminology Certification server (or cluster) First AD RMS server (cluster) in the enterprise Provides certification and licensing capabilities Licensing server (optional) Provides licensing services only Relies on a certification server for certification of users Cluster Group of equivalent AD RMS servers sharing the same database Not to be confused with Windows Server Clustering Services

22 AD RMS Infrastructure Components Mobile devices (Windows Mobile 6.0) AD RMS Server RMS Client RM-enabled application

23 AD RMS Infrastructure Components Mobile devices (Windows Mobile 6.0) Active Directory AD RMS Server RMS Client RM-enabled application

24 AD RMS Infrastructure Components Mobile devices (Windows Mobile 6.0) Active Directory SQL AD RMS Server RMS Client RM-enabled application

25 AD RMS Infrastructure Components Mobile devices (Windows Mobile 6.0) Active Directory SQL AD RMS Server RMS Client RM-enabled application MOSS 2007

26 AD RMS Infrastructure Components Mobile devices (Windows Mobile 6.0) Active Directory SQL AD RMS Server RMS Client RM-enabled application MOSS 2007 Exchange Server 2007 SP1

27 AD RMS Topology Database AD RMS Root Server

28 AD RMS Topology Database AD RMS Certification Cluster

29 AD RMS Topology Database AD RMS Certification Cluster Database License-only Server

30 AD RMS Topology Database AD RMS Certification Cluster Database Database License-only Server License-only Server Cluster

31 AD RMS Server Runs on Windows Server 2008 inside IIS It s a web service! Typically runs over SSL Requires IIS with ASP.NET Stateless Uses (before Windows 8) Microsoft Message Queuing Responsible for transactions to be applied to SQL database Provides tolerance when connectivity is lost between ADRMS server and SQL Server AD RMS Server

32 AD RMS Databases AD RMS web services are stateless All persistent information is stored in SQL Server Three separate databases Configuration: hosts configuration data, cluster and user keys Caching: caches AD identities and group membership Logging: stores logs of licensing operations Most operations are performed asynchronously Data is written to MSMQ, flushed to the DB when possible If DB not available, AD RMS continues to work almost normally

33 Active Directory Provides authentication All accounts related to AD RMS must have an account Provides Service Connection Point (SCP) for service location Determines recipient group membership Active Directory should be in native mode for group propagation One AD RMS root cluster per forest AD RMS certification is limited to users in the AD forest Active Directory

34 What s in a Certificate AD RMS uses certificates for identity and licenses AD RMS does not use X.509 certificates! It uses XrML certs instead Similar to X.509 but with room for policy Identity certificate: this is User X and her is There are also machine and server certificates

35 What s in a license An IRM protected document has an embedded Publishing License List of rights (like an ACL) Subjects of rights are addresses Groups or users Rights are operations View Edit Copy Print Forward

36 AD RMS Certificates and Licenses

37 AD RMS Certificates and Licenses

38 AD RMS Certificates and Licenses

39 AD RMS Certificates and Licenses

40 AD RMS Certificates and Licenses

41 AD RMS Certificates and Licenses SLC: Server Licensor Certificate Identifies an AD RMS cluster.

42 AD RMS Certificates and Licenses SPC: Security Processor Certificate: Identifies a client machine

43 AD RMS Certificates and Licenses Identifies an AD RMS user RAC: Rights Account Certificate

44 AD RMS Certificates and Licenses Identifies an author in AD RMS CLC: Client Licensor Certificate

45 AD RMS Certificates and Licenses PL: Publishing License Identifies a protected document and its policy

46 AD RMS Certificates and Licenses PL: Publishing License Identifies a protected document and its policy

47 AD RMS Certificates and Licenses UL: Use License Grants rights over a document

48 AD RMS Certificates and Licenses UL: Use License Grants rights over a document

49

50 Fabrikam

51 Fabrikam Adventure

52 Fabrikam Adventure

53 Fabrikam Adventure sends RM content to

54 Fabrikam Adventure sends RM content to

55 Fabrikam Adventure sends RM content to sends PL and RAC with request for UL from Fabrikam

56 (FAIL) Fabrikam Adventure sends RM content to sends PL and RAC with request for UL from Fabrikam

57

58 Fabrikam

59 Fabrikam Adventure

60 Fabrikam Adventure 1) Adventure sends SLC to Fabrikam

61 Fabrikam Adventure 1) Adventure sends SLC to Fabrikam

62 Fabrikam Adventure 1) Adventure sends SLC to Fabrikam

63 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam

64 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam

65 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam 3) sends RM content to

66 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam 3) sends RM content to

67 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam 3) sends RM content to 4) sends PL and RAC with request for UL from Fabrikam

68 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam 5) Server uses imported SLC to verify Monica s RAC and returns UL 3) John@fabrikam.com sends RM content to Monica@adventure.com 4) Monica@adventure.com sends PL and RAC with request for UL from Fabrikam

69 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam 5) Server uses imported SLC to verify Monica s RAC and returns UL 3) John@fabrikam.com sends RM content to Monica@adventure.com 4) Monica@adventure.com sends PL and RAC with request for UL from Fabrikam

70 Fabrikam 2) Fabrikam imports SLC Adventure 1) Adventure sends SLC to Fabrikam 5) Server uses imported SLC to verify Monica s RAC and returns UL 3) John@fabrikam.com sends RM content to Monica@adventure.com 4) Monica@adventure.com sends PL and RAC with request for UL from Fabrikam

71

72 Fabrikam

73 Fabrikam Adventure

74 Fabrikam Adventure

75 Fabrikam Adventure sends ADRMS content to

76 Fabrikam Adventure sends ADRMS content to

77 Fabrikam Adventure sends ADRMS content to sends PL and RAC with request for UL from local licensing server

78 Fabrikam Adventure sends ADRMS content to sends PL and RAC with request for UL from local licensing server

79 Fabrikam Adventure (FAIL) sends ADRMS content to sends PL and RAC with request for UL from local licensing server

80

81 Fabrikam

82 Fabrikam Adventure

83 1) Fabrikam exports private key and SLC Fabrikam Adventure

84 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC

85 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC

86 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC

87 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 3) sends ADRMS content to

88 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 3) sends ADRMS content to

89 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 3) sends ADRMS content to 4) sends PL and RAC with request for UL from local licensing server

90 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 3) sends ADRMS content to 4) sends PL and RAC with request for UL from local licensing server

91 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 5) Adventure uses imported private key to decrypt PL and issues UL 3) sends ADRMS content to 4) sends PL and RAC with request for UL from local licensing server

92 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 5) Adventure uses imported private key to decrypt PL and issues UL 3) sends ADRMS content to 4) sends PL and RAC with request for UL from local licensing server

93 1) Fabrikam exports private key and SLC Fabrikam Adventure 2) Adventure imports private key and SLC 5) Adventure uses imported private key to decrypt PL and issues UL 3) sends ADRMS content to 4) sends PL and RAC with request for UL from local licensing server

94

95 Fabrikam FS-R Adventure FS-A AD RMS ISA

96 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped AD RMS ISA

97 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure AD RMS ISA 2 PL

98 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped AD RMS ISA 3 2 PL

99 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 4. WebSSO agent intercepts request 4 AD RMS ISA 3 2 PL

100 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 4. WebSSO agent intercepts request 4 AD RMS ISA 3 2 PL

101 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 4. WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 4 5 AD RMS ISA 3 2 PL

102 Fabrikam FS-R 4 5 Adventure FS-A 6 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 4. WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication AD RMS ISA 3 2 PL

103 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 4 ISA WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication 7. AD RMS client is redirected back to FS-R for authentication AD RMS 2 PL

104 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped AD RMS 4 ISA WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication 7. AD RMS client is redirected back to FS-R for authentication 8. AD RMS client makes request to AD RMS server for bootstrapping 2 PL

105 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 9 AD RMS 4 ISA WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication 7. AD RMS client is redirected back to FS-R for authentication 8. AD RMS client makes request to AD RMS server for bootstrapping 9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server 2 PL

106 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 9 AD RMS 2 4 ISA WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication 7. AD RMS client is redirected back to FS-R for authentication 8. AD RMS client makes request to AD RMS server for bootstrapping 9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server 10. AD RMS server returns bootstrapping certificates to recipient PL 10 RAC CLC

107 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 9 AD RMS 2 4 ISA PL WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication 7. AD RMS client is redirected back to FS-R for authentication 8. AD RMS client makes request to AD RMS server for bootstrapping 9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server 10. AD RMS server returns bootstrapping certificates to recipient 11. AD RMS server returns use license to recipient RAC CLC UL 11

108 Fabrikam FS-R Adventure FS-A 1. Assume author is already bootstrapped 2. Author sends protected to recipient at Adventure 3. Recipient contacts published Fabrikam AD RMS server to get bootstrapped 9 AD RMS 2 4 ISA PL 6 10 RAC CLC UL WebSSO agent intercepts request 5. AD RMS client is redirected to Federation Server (FS)-R for home realm discovery through ISA Server 6. AD RMS client is redirected to FS-A for authentication 7. AD RMS client is redirected back to FS-R for authentication 8. AD RMS client makes request to AD RMS server for bootstrapping 9. WebSSO agent intercepts request, checks authentication, and sends request to AD RMS server 10. AD RMS server returns bootstrapping certificates to recipient 11. AD RMS server returns use license to recipient 12. Recipient accesses protected content

109

110

111 Cross-Forest Group Expansion Outlook or other client AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

112 Cross-Forest Group Expansion Outlook or other client Hi, I m John. Can I get a license for this document? AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

113 Cross-Forest Group Expansion Outlook or other client Content is protected for who s that? AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

114 Cross-Forest Group Expansion Outlook or other client AD RMS AD RMS I have a contact for marketing@contosobranch.com, and it points to domain contosobranch.com (duh!) SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

115 Cross-Forest Group Expansion Outlook or other client AD RMS Hey, what s your RMS SCP? AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

116 Cross-Forest Group Expansion Outlook or other client AD RMS AD RMS It s adrms.contosobranch.com SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

117 Cross-Forest Group Expansion Outlook or other client Hey, adrms.contosobranch.com/.../ groupexpansion.asmx, is John a member of the marketing group? AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

118 Cross-Forest Group Expansion Outlook or other client Give me Marketing group s members AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

119 Cross-Forest Group Expansion Outlook or other client AD RMS It s John, Peter and Susan AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

120 Cross-Forest Group Expansion Outlook or other client AD RMS He is, indeed. AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

121 Cross-Forest Group Expansion Outlook or other client Here s your license! AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

122 Cross-Forest Group Expansion Outlook or other client AD RMS AD RMS SCP: ADRMS.contosobranch.com DC DC User s Domain (contosobranch.com) Another forest (contosocorp.com)

123

124

125

126

127 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Certification Cluster

128 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Certification Cluster

129 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Certification Cluster

130 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Certification Cluster

131

132

133

134

135 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Licensing-only Cluster Certification Cluster

136 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Licensing-only Cluster Certification Cluster

137 Multi Region Forest Core forest Other forests TUD Certification Licensing SQL Server (Cluster) Certification Cluster

138

139

140

141 Multi Region Forest Core forest Other forests Users in isolated sub-org. TUD Certification Licensing SQL Server (Cluster) Licensing-only Cluster Certification Cluster

142 Multi Region Forest Core forest Other forests Users in isolated sub-org. TUD Certification Licensing SQL Server (Cluster) Licensing-only Cluster Certification Cluster

143 Multi Region Forest Core forest Other forests Users in isolated sub-org. TUD Certification Licensing SQL Server (Cluster) Licensing-only Cluster Certification Cluster

144 Multi Region Forest Core forest Other forests Users in isolated sub-org. TUD Certification Licensing SQL Server (Cluster) Licensing-Only Cluster Certification Cluster

145

146

147 Multi Region Forest Core forest Other forests Users in isolated sub-org. TUD Certification Licensing SQL Server (Cluster) Licensing-only Cluster Certification Cluster

148 Multi Region Forest Core forest Other forests Users in isolated sub-org. TUD Certification Licensing TPD SQL Server (Cluster) Licensing-only Cluster Certification Cluster

149

150

151

152

153

154 Users in isolated sub-org. Multi Region Forest Core forest Other forests External Organization or Isolated forest (with TUD) TUD Certification Licensing AD FS trust External Organization (with AD FS) SQL Server (Cluster) Licensing-Only Cluster Certification Cluster

155 Users in isolated sub-org. Multi Region Forest Core forest Other forests External Organization or Isolated forest (with TUD) TUD Certification Licensing AD FS trust External Organization (with AD FS) SQL Server (Cluster) Licensing-Only Cluster Certification Cluster

156 Users in isolated sub-org. Multi Region Forest Core forest Other forests External Organization or Isolated forest (with TUD) TUD Certification Licensing AD FS trust External Organization (with AD FS) SQL Server (Cluster) Licensing-Only Cluster Certification Cluster

157

158

159 Inside Firewall Domain Controller and Global Catalog Mobile internal user Internet Outside Firewall HTTP 80/tcp HTTPS 443/tcp HTTP 80/tcp Kerberos 88/tcp, 88/udp NTP 123/tcp DCE RPC 135/tcp NetBIOS tcp and udp LDAP 389/tcp HTTPS 443/tcp SMB 445/tcp LDAP GC 3268/tcp Dynamic DCE RPC ports Home user AD RMS Server SQL Server Internal users Customer

160 Internal Firewall Domain Controller and Global Catalog Mobile Internal User Internet External Firewall HTTP 80/tcp HTTPS 443/tcp HTTP 80/tcp Kerberos 88/tcp, 88/udp NTP 123/tcp DCE RPC 135/tcp NetBIOS tcp and udp LDAP 389/tcp HTTPS 443/tcp SMB 445/tcp LDAP GC 3268/tcp Dynamic DCE RPC ports AD RMS Certification Server Home user Customer AD RMS Licensing Server SQL Server Internal users SQL Server

161 Domain Controller and Global Catalog Mobile internal user Internet Firewall HTTP 80/tcp HTTPS 443/tcp AD RMS Server Home user SQL Server Internal users Customer

162

163

164