Professional Documents
Culture Documents
Leverage The Mobile Device Extension For Ad Rms On Your Premises
Leverage The Mobile Device Extension For Ad Rms On Your Premises
AD RMS
Overview Technical Article
Microsoft France
Version: 1.0c
Contributors/Reviewers: Martin Sieber (Microsoft Switzerland), Enrique Saggese, Sergey Simakov (Microsoft
Corporation)
www.microsoft.com/rms
Abstract: Due to increased regulation, Consumerization of IT (CoIT) tendencies and “Bring Your Own
Device” (BYOD) initiatives, the explosion of information with dispersed enterprise data, the Social
Enterprise and its applications enabling new collaboration and other trends, organization of all sizes are
facing growing needs to protect and control sensitive information on all important devices (smartphones,
slates, tablets, and laptops).
This document provides information about the Mobile Device Extension for AD RMS, and how it can be
deployed on top of existing Windows Server 2012 and Windows Server 2012 R2-based AD RMS clusters to
support the important devices with mobile RMS-enlightened applications.
By following the steps outlined in this document you should be able to successfully prepare your
environment to deploy the Mobile Device Extension, and start using it within your organization to create
and consume protected content on all the important devices.
Table of Contents
NOTICE ............................................................................................................................................................3
FEEDBACK........................................................................................................................................................3
INTRODUCTION..............................................................................................................................................4
OBJECTIVES OF THIS PAPER......................................................................................................................................................6
NON-OBJECTIVES OF THIS PAPER............................................................................................................................................6
ORGANIZATION OF THIS PAPER...............................................................................................................................................6
ABOUT THE AUDIENCE..............................................................................................................................................................7
OVERVIEW OF THE MOBILE DEVICE EXTENSION FOR AD RMS................................................................8
PREREQUISITES FOR THE MOBILE DEVICE EXTENSION.........................................................................................................9
HOW MOBILE APPS USE THE NEW SERVICE ENDPOINTS....................................................................................................10
UNDERSTANDING HOW THE SERVICE ENDPOINTS ARE LOCATED.....................................................................................12
UNDERSTANDING HOW AUTHENTICATION WORKS WITH THE SERVICE ENDPOINTS......................................................19
REVIEWING THE SUPPORTED TOPOLOGIES FOR THE MOBILE DEVICE EXTENSION.........................................................22
BUILDING AN EVALUATION ENVIRONMENT............................................................................................28
BUILDING AN AZURE-BASED LAB ENVIRONMENT..............................................................................................................28
PREPARING THE LOCAL ENVIRONMENT FOR AZURE..........................................................................................................32
SETTING UP THE WINDOWS SERVER 2012 R2 BASE CONFIGURATION TEST LAB...............................38
DEPLOYING THE BASE WORKLOADS IN AZURE...................................................................................................................41
CONFIGURING THE DOMAIN CONTROLLER..........................................................................................................................45
CONFIGURING THE ROOT ENTERPRISE CA..........................................................................................................................55
DEPLOYING THE FEDERATION SERVER..................................................................................................................................60
PREPARING THE INTERNET-FACING COMPUTER..................................................................................................................63
DEPLOYING THE DATABASE SERVER......................................................................................................................................73
DEPLOYING THE RIGHTS MANAGEMENT SERVER................................................................................................................78
TESTING AND EVALUATING THE MOBILE DEVICE EXTENSION FOR AD RMS......................................90
CONFIGURING AD FS FOR THE MOBILE DEVICE EXTENSION FOR AD RMS................................................................90
SPECIFYING THE SERVICE DISCOVERY RECORDS FOR THE MOBILE DEVICE EXTENSION FOR AD RMS......................93
DEPLOYING THE MOBILE DEVICE EXTENSION FOR AD RMS..........................................................................................99
PUBLISHING THE MOBILE DEVICE EXTENSION ENDPOINTS OVER THE INTERNET........................................................102
TESTING THE MOBILE DEVICE EXTENSION.......................................................................................................................102
TROUBLESHOOTING THE MOBILE DEVICE EXTENSION....................................................................................................103
APPENDIX....................................................................................................................................................107
SETTING UAC BEHAVIOR OF THE ELEVATION PROMPT FOR ADMINISTRATORS...........................................................107
SIMULATING AN ANDROID DEVICE....................................................................................................................................107
Feedback
For any feedback or comment regarding this document, please send a mail to AskIPteam@microsoft.com.
1
ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES MOBILE DEVICE EXTENSION: http://technet.microsoft.com/library/Dn673574.aspx
Note To help figure out how to face security, compliance and compatibility issues you might deal with and
to give users access to corporate intellectual property from ubiquitous devices, both managed and unmanaged,
you can refer to a series of documents on CoIT, i.e. Test Lab Guides (TLGs) available on the Microsoft Download
Center2. The TLGs illustrate key CoIT scenarios with current Microsoft technologies and allow you to get hands-
on experience using a pre-defined and tested methodology that results in working configurations.
Where information workers are more mobile, share information, and collaborate more than ever before ,
information leakage can be thus a serious threat to organizations. Leaks of confidential information can
result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions,
diminished customer confidence, and more.
The proliferation of consumer devices and ubiquitous information access is driving the organization to
define a new model in which information workers use their (own) devices to access sensitive corporate
data. The model must be flexible enough to meet their users’ needs while at the same time guarantee that
sensitive corporate data are protected from unauthorized access regardless of whether the user’s device is
completely managed and individually secured. To increase productivity, users also ask for a secure and
consistent way to access and share sensitive information from their devices.
To tackle the issues described above, Microsoft has delivered a cloud-based digital information rights
management solution on all important devices through the Azure Rights Management service (Azure
RMS) offerings. This service enables users on all important devices to access and use sensitive information.
As a transport and storage agnostic solution, it operates on all types of files. Dispersed enterprise data can
be protected in a consistent way dictated by the policy no matter where it goes.
2
CONSUMERIZATION OF IT TEST LAB GUIDES: http://www.microsoft.com/en-us/download/details.aspx?id=29574
However, such a support for all important devices was not available in the on-premises counterpart to
Azure RMS, Microsoft Active Directory Right Management Services (AD RMS). First shipped for Windows
Server 2003 and later evolved into a component of Windows Server 2008/2012, AD RMS is designed for
organizations that need to protect sensitive and proprietary information and that are not ready to or
cannot subscribe for any specific requirement or reason to a cloud service.
The Mobile Device Extension for AD RMS now enables Windows Server 2012 and Windows Server
2012 R2-based AD RMS clusters to support important mobile devices with mobile RMS-enlightened
applications in the same way as Azure RMS does.
Note You don’t need the Mobile Device Extension for AD RMS to consume or author protected email on
devices if they use mobile mail apps that support Exchange ActiveSync (EAS) Information Rights Management
(IRM). This native support for AD RMS and mobile devices was introduced with Exchange 2010 Service Pack 1
(SP1).
Note The Microsoft Exchange ActiveSync (EAS) 5 protocol provides synchronization of mailbox data
between mobile devices and Exchange Online, so users can access their email, calendar, contacts, and tasks on
the go. EAS is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs),
and mail client applications, and is thus supported by a wide range of mobile devices, including Windows Phone
devices, Palm devices, Apple iPhone and iPad, and many Android phones. Implementation of specific EAS
features may vary by device and manufacturer. A community-maintained comparison of how Exchange
ActiveSync features are implemented by various mobile clients is available at this COMPARISON OF EXCHANGE
ACTIVESYNC CLIENTS6 page on Wikipedia.
Note Devices supporting version 14.1 and above of the protocol can leverage the above EAS IRM
capability. The mobile mail app on a device must support the RightsManagementInformation tag defined in
this protocol version and above.
To learn more about EAS IRM for protecting mail messages and attachments and how to deploy it in Exchange
2010 SP1 and above, see the Microsoft TechNet article UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN
EXCHANGE ACTIVESYNC7.
The Mobile Device Extension for AD RMS is particularly intended for any mobile RMS-enlightened
applications based on the latest Microsoft Rights Management (RMS) SDK, i.e. the RMS SDK 4.0,
such as the RMS Sharing app. These applications generally need to be installed through the
corresponding app stores for the device.
3
AZURE RIGHTS MANAGEMENT SERVICES: http://blogs.technet.com/b/rms/archive/2013/07/31/the-new-microsoft-rights-management-
services-whitepaper.aspx
4
Azure Rights Management services: http://www.microsoft.com/rms
5
UNDERSTANDING EXCHANGE ACTIVESYNC: http://technet.microsoft.com/en-us/library/aa998357.aspx
6
COMPARISON OF EXCHANGE ACTIVESYNC CLIENTS: http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients
7
UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ACTIVESYNC: http://technet.microsoft.com/en-us/library/ff657743.aspx
Note For additional information on AD RMS, see the Microsoft TechNet article ACTIVE DIRECTORY RIGHTS
MANAGEMENT SERVICES OVERVIEW11, as well as the several posts of the AD RMS Team Blog12.
It doesn’t provide neither guidance for setting up and configuring AD RMS in a production environment
nor a complete technical reference for AD RMS.
8
RIGHTS MANAGEMENT SHARING APPLICATION ADMINISTRATOR GUIDE: http://technet.microsoft.com/library/dn339003
9
RIGHTS MANAGEMENT SHARING APPLICATION USER GUIDE: http://technet.microsoft.com/library/dn339006
10
FAQ FOR MICROSOFT RIGHTS MANAGEMENT SHARING APPLICATION FOR MOBILE PLATFORMS: http://technet.microsoft.com/dn451248
11
ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES OVERVIEW: http://go.microsoft.com/fwlink/?LinkId=84726
12
AD RMS Team Blog: http://blogs.technet.com/b/rms/
Important note The RMS SDK 4.0 supersedes the RMS SDK 3.0, which is now deprecated.
These clients must use the latest version of the RMS sharing app for the devices as available for download
at the Microsoft Rights Management page 17.
Beyond an existing on-premises AD RMS deployment on Windows Server 2012 or Windows Server 2012
R2, the following dependencies must be in place before using the Mobile Device Extension for AD RMS:
DNS SRV records to help locate the service endpoints provided by the Mobile Device Extension.
Both AD RMS internal (e.g., intranet) and external (e.g., extranet) FQDN URLs populated. (In a split
brain DNS configuration, only the Intranet URLs are populated.)
Use of SSL/TLS with a trusted X.509 certificate for the AD RMS internal and external URLs.
AD FS deployed on Windows Server 2012 R2 to sustain the authentication required by the service
endpoints.
Note For information on AD FS in Windows Server 2012 R2, see the Microsoft TechNet article WINDOWS
SERVER 2012 R2 AD FS DEPLOYMENT GUIDE18.
Some secure publishing mechanism such as the Web Application Proxy (WAP) deployed on
Windows Server 2012 R2 to publish the service endpoints on the Internet.
13
SDK 4.0 for Android: http://www.microsoft.com/en-ie/download/details.aspx?id=43673
14
SDK 4.0 for iOS: http://www.microsoft.com/en-us/download/details.aspx?id=43674
15
SDK 4.0 for OS X: http://www.microsoft.com/en-za/download/details.aspx?id=43675
16
MICROSOFT RIGHTS MANAGEMENT SDK 4.0: http://msdn.microsoft.com/en-us/library/dn758244(v=vs.85).aspx
17
RMS sharing app for the devices: https://portal.aadrm.com/home/download
18
WINDOWS SERVER 2012 R2 AD FS DEPLOYMENT GUIDE: http://technet.microsoft.com/en-us/library/dn486820.aspx
The Mobile Device Extension exposes the following endpoints in the form of REST APIs:
Mobile Device Extension for AD RMS
https://<ClusterURL>/my/v1/servicediscovery
https://<ClusterURL>/my/v1/enduserlicenses
https://<ClusterURL>/my/v1/templates
REST API End User License request
REST API Publishing License request
In addition to the above REST service endpoints, the Mobile Device Extension provides a DNS-based
service discovery mechanism in order to enable mobile devices to discover these endpoints based on the
identity of the user or the source of the protected content. This will be further discussed below.
The Publishing License request takes either a template ID or a custom policy and returns a serialized
Publishing License (PL) that is generated from the template or policy.
Where <ClusterURL> is the FQDN of an AD RMS cluster on top of which the Mobile Device Extension has
been installed. This value will be obtained by calling the service discovery so that mobile devices can
discover the endpoints based on the identity of the user and the URL of the server that was used to
protect the content.
The request body is a JSON object that contains the serialized publishing license (PL) (in base64 encoded
form) that applies to the protected content. A successful request returns HTTP 200 OK with a body that
contains the end user license (EUL).
Templates request
The Templates request returns the list of templates that are available for the user in the server.
Where <ClusterURL> is the FQDN of an AD RMS cluster on top of which the Mobile Device Extension has
been installed.
There is no body for this request. A successful request returns HTTP 200 OK with a body that contains the
list of templates that are available.
When the REST API explicitly returns HTTP 400 and 500 errors (but not HTTP 401 errors), it also returns a
message body that contains information about the error. The response body contains the following fields:
code. The fully qualified name of the exception that caused the error.
message. A descriptive message that explains the error.
As mentioned before, the Mobile Device Extension provides a service discovery mechanism based on DNS
SRV records in order to enable mobile devices to locate the necessary service endpoints. Such mechanism
works in two steps:
DNS
1. The RMS client performs a DNS lookup for a SRV record corresponding to the user’s email domain
(for authoring or template acquisition operations) or the content source server’s FDQN (for
consumption operations), and processes the response from the DNS service to build the service
discovery URL to call.
2. The client then contacts the URL obtained in the previous step and obtains the final REST APIs
endpoints to call.
This two-step process allows mobile clients to identify the organization’s infrastructure in the first step and
then locate the exact server desired for the user in the second step. This allows for very flexible
The second operation is implemented as an HTTP GET call to the REST APIs in MDE as follows:
Where <ClusterURL> is the FQDN of an AD RMS cluster built by the RMS client based on the DNS SRV
lookup response.
The response body will then contain the list of the aforementioned service endpoints and corresponding
URLs in JSON format in the context of the request. The following JSON example illustrates a sample
response body:
[{
"Name": "enduserlicenses",
"Uri": "https://adrms.contoso.com/my/v1/enduserlicenses"
},
{
"Name": "templates",
"Uri": "https://adrms.contoso.com/my/v1/templates"
},
{
"Name": "publishinglicenses",
"Uri": "https://adrms.contoso.com/my/v1/publishinglicenses"
}]
Since the first step of the endpoint discovery uses DNS and relies for that purposes on specific SRV
service discovery records, the Service Connection Point (SCP) declared in the Active Directory is not
used by the Mobile Device Extension.
Note The SCP is an object in the Active Directory configuration partition that holds the Web address of
the AD RMS cluster. RMS-enlightened applications built with RMS SDKs whose version is prior to 3.0 use the SCP
to discover the AD RMS service; it is the first connection point for users to discover the AD RMS SOAP-based web
service endpoints. Only one SCP can exist in your Active Directory forest.
A SCP can be viewed using ADSI Edit for instance. To view the SCP, connect to the configuration container in ADSI
Edit and navigate the following nodes: CN=Configuration [server name], CN=Services,
CN=RightsManagementServices, CN=SCP.
From a practical standpoint, the RMS client uses DNS SRV records to find the right location for the services
used for:
Different DNS SRV records must be consequently created in the authoritative DNS for the organization’s
domain(s) to support these processes. The next sections cover the DNS SRV records required for a fully
functional RMS service discovery mechanism for mobile devices.
Important note If all the users of the organization use child domains from a single parent domain, and all
users from this contiguous namespace use the same AD RMS cluster, only one SRV record in the parent domain is
needed, and the RMS client will find the appropriate DNS records (see below).
For example, if an organization has users with the following email addresses:
<user alias>@contoso.com
<user alias>@europe.contoso.com
<user alias>@fabrikam.com
And if there are no other child domain(s) for contoso.com and no other parent domain(s) that use a
different AD RMS cluster than the one named adrms.contoso.com, the following two DNS SRV records
must be created in DNS:
_rmsdisco._http._tcp.contoso.com 443 adrms.contoso.com
_rmsdisco._http._tcp.fabrikam.com 443 adrms.contoso.com
19
RFC 6763 DNS-BASED SERVICE DISCOVERY: http://www.ietf.org/rfc/rfc6763.txt
2: Pointer to service discovery endpoint 1: Query for user subdomain and iterate up
12: PL
7: User attributes
Active Directory
AD FS
The Mobile Device Extensions do not support offline publishing from mobile devices at the time of
publishing of this document.
4: Redirect to AD FS
12: EUL
7: User attributes
Active Directory
AD FS
1. For the initial domain resolution, the RMS client looks in DNS for a service discovery record that
matches the FQDN in the URL of the RMS service that protected the content. This URL is specified
in the publishing license.
2. The response from the DNS service is processed by the RMS client to build the discovery service
URL to call.
3. The RMS client then makes a call to the service discovery endpoint in the URL discovered
previously.
4. On initial access the call to this endpoint will return a 401 error code and will redirect the client to
the environment’s federation server where the authentication process will be performed as
described in section § UNDERSTANDING HOW AUTHENTICATION WORKS WITH THE SERVICE ENDPOINTS below
in this document. Steps 4-7 in this authentication process are explained in that section. Once the
client has obtained an access token it passes the token to the service discovery URL to which it
tried to authenticate.
5. Upon acceptance of the token received from the service the URL of the RMS cluster is used by this
user.
6. The service discovery endpoint returns the list of rights management services (publish license, end
use license, and templates) and corresponding endpoint URLs is provided to the client in the
20
UNDERSTANDING INFORMATION RIGHTS MANAGEMENT: http://technet.microsoft.com/en-us/library/dd638140.aspx
21
RFC 6749 THE OAUTH 2.0 AUTHORIZATION FRAMEWORK: http://www.ietf.org/rfc/rfc6749.txt
3
4
AD FS
1. The RMS client makes a call to a service endpoint to perform an operation on the RMS service by
making a call to the URL obtained thanks to one of the created DNS SRV records.
2. The RMS service finds out that the authentication has not happened yet. It returns back an OAuth
2.0 challenge. More specifically, it returns back a HTTP 401 with two fields in the HTTP body. One
is the resource name that identifies the service endpoint, and the other is the URL to the local AD
FS server/farm to interact with to obtain an access token. This URL is set during the installation of
the Mobile Device Extension for AD RMS.
3. The RMS client takes this response and goes to the URL identified in the response from the RMS
service.
a. In accordance to the OAuth 2.0 authorization code grant flow, it makes an authorization
request to AD FS for the resource (again in the response from the RMS service) to get an
authorization code. This call comprises the service endpoint the app wants to access, an
app client identifier, and an app redirection URI in accordance with RFC 6749.
Note In order to allow access from OAuth 2.0 clients to REST resources secured by AD FS, the app has to
be registered beforehand with AD FS by using the cmdlet Add-AdfsClient22. AD FS will not allow access to a REST
resource to clients that specify a client identifier or redirection URI that is not registered with AD FS. For
additional information, see Microsoft MDSN article DEVELOPING MODERN APPLICATIONS USING OAUTH AND ACTIVE
DIRECTORY FEDERATION SERVICES23.
The RMS service expects that ADFS provides the following claims in the access token:
Primary email address of the user,
User principal name (UPN) of the user,
Proxy email addresses of the user if present.
The format used for the access token is JSON Web Token (JWT)28, a compact JSON-encoded security token
bearing claims. As such, JWT is especially apt for REST-based development. JWT use is growing, and
products supporting the format are increasingly common in the industry.
24
Microsoft Azure Active Directory Authentication Library (ADAL) for Android: https://github.com/AzureAD/azure-activedirectory-
library-for-android
25
Microsoft Azure Active Directory Authentication Library (ADAL) for iOS: https://github.com/AzureAD/azure-activedirectory-library-
for-objc
26
Microsoft Azure Active Directory Authentication Library (ADAL) for OSX: https://github.com/AzureAD/azure-activedirectory-library-
for-objc:
27
Microsoft Azure Active Directory Samples and Documentation: https://github.com/AzureADSamples
28
JSON Web Token (JWT): http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-24
Note For information on Trusted User Domains (TUD), see the eponym Microsoft TechNet article TRUSTED
USER DOMAIN29.
As a consequence, while Rights Account Certificates containing different certification URLS and signed by
different clusters are issued to rich clients in different forests, all clients receive a Client Licensor Certificate
from the same cluster, and all Publishing Licenses will be encrypted with the same key pair and will be
stamped with the same URL.
Important Note Since in mobile devices working with the Mobile Device Extension for AD RMS all
transactions are atomic and there’s no use for Rights Account Certificates, clients only interact with the RMS
cluster used for licensing. The existence of an RMS cluster in a forest that is only used for certification is of no
consequence to the mobile clients, and as a results Trusted User Domains are not used for mobile devices. This,
in turn, means that only cluster actively used for licensing need to have the Mobile Device Extension
installed, and clusters only used for certification in their respective forests don’t need to be configured for
mobile devices directly.
In this environment, users may have email addresses under the same or different domains. All publishing
licenses contain the same URL.
Note For information on trusted publishing domains (TPD), see the eponym Microsoft TechNet article
TRUSTED PUBLISHING DOMAIN30.
This redirection is typically implemented via registry overrides on rich clients. As already noticed, the
mobile device clients do not support registry overrides.
30
TRUSTED PUBLISHING DOMAIN: http://technet.microsoft.com/en-us/library/dd996639(v=ws.10).aspx
Active Directory Domain Services (AD DS) DC1 SQL1 SQL Server 2012
Domain Name Services (DNS)
Internet
ADFS1 ADRMS1
In this environment we have simplified as much as possible the environment to reduce the number of
actions needed.
The Microsoft Test Lab Guides (TLGs) allow you to get valuable hands-on experience with new products
and technologies using a pre-defined and tested methodology that results in a working configuration.
Microsoft Test Lab Guides (TLGs) are a set of documents that step you through the configuration and
demonstration of a Microsoft technology or product in a standardized test lab environment, which starts
with a common base configuration that mimics a simplified intranet and the Internet. TLGs are designed to
be modular, extensible, and stackable to configure complex, multi-product solutions. TLGs make learning
about products, technologies, and solutions easier by providing that crucial hands-on, “I built it out
myself” experience.
Note For more information, see Test Lab Guides31 on Microsoft TechNet.
Moreover, another potential challenge relates to the hardware needed to run such a base configuration
that involves several (virtual) machines.
For these reasons and considering the above objectives, this guide will leverage Microsoft Azure
environment with Azure-based virtual machines (VM). Consequently, the setup of the on-premises
environment for this evaluation of the Mobile Device Extension will be based on the TEST LAB GUIDE: BASE
CONFIGURATION IN AZURE32. It will also leverage the TEST LAB GUIDE: DEPLOYING AN AD RMS CLUSTER33.
Finally, to streamline as much as possible the setup of this Azure-based test lab environment, and to test
and evaluate the Mobile Device Extension for AD RMS, this guide will also leverage the Microsoft Azure
PowerShell and Windows PowerShell cmdlets to configure the required services.
Note An affinity group is a container where you choose the location (Azure region) where you place your
Azure resources. An affinity group represents also a convenient way to designate an Azure data center region with
the name of your choice. (As of this writing, Azure Cloud Services can be added to an affinity group only at the
time of creation of the service.).
Azure Virtual Network provides control over network topology, including configuration of IP addresses,
routing tables and security policies. A VNET has its own private address space. The address space is IPv4
only (but could be extended to IPv6 in a future release).
Note Azure Virtual Network also allows to securely extend on-premises networks into the cloud. With the
ability to assign a private address range for its VNET, you can indeed treat it as an extension of your own
corporate private network address space by establishing appropriate gates (VPN gateway) between your on-
premises corporate private network and virtual network(s) in Microsoft Azure. For that purpose, Azure Virtual
Network enables to set up secure site-to-site connectivity between the organization’s corporate VPN gateway and
Azure, and then to connect the organization’s on-premises corporate network to the organization’s Azure tenant
by using a VPN gateway along with the industry-standard IPsec protocol.
With such a capability, IT administrators can easily create a logically isolated private environment in Azure, and
connect it to the organization’s on-premises IT infrastructure by using a secure VPN tunnel. Once set up, the
isolated Azure environment can be viewed as a natural extension of the on-premises corporate network.
To synthetize, Azure Virtual Network allows you to create private network(s) of VMs in your Azure tenant
environment that you can assign IP addresses to (and then optionally connect to your data center through
a VPN gateway). Using this method, you can seamlessly connect on-premises (virtual) machines to VMs
running in your Azure tenant.
The fundamental requirements for deploying AD DS on VM(s) in Azure differ very little from deploying it in
VMs (and, to some extent, physical machines) on-premises. For example, if the domain controller that you
deploy on VMs are replicas in an existing on-premises corporate domain/forest, then the Azure
deployment can largely be treated in the same way as you might treat any other additional AD DS site.
That is, subnets must be defined in AD DS, a site created, the subnets linked to that site, and connected to
other sites using appropriate site-links. There are, however, a number of differences that are common to
all Azure deployments and some that vary according to the specific deployment scenario.
36
Azure Cloud Services: https://www.windowsazure.com/en-us/services/cloud-services/
Note For more information about the costs of running Azure virtual machines, see VIRTUAL MACHINES
PRICING DETAILS39 and AZURE PRICING CALCULATOR40 on the Azure Web site.
To minimize the cost of running the test lab virtual machines, you can do one of the following:
Create the test lab environment and perform your needed testing and demonstration as quickly
as possible. When complete, delete the test lab virtual machines from the VIRTUAL MACHINES
page of the Azure management portal.
Shut down your test lab virtual machines into a de-allocated state from the VIRTUAL MACHINES
page of the Azure management portal as covered later in this document. However, you should
start your virtual machines in a specific order.
Note Once you have completed your trial tenant signup, you will be redirected to the Azure account
portal43 and can proceed to the Azure management portal by clicking Portal at the top right corner of your
screen.
At this stage, you should have an Azure trial subscription to proceed with the steps in this guide.
37
INSTALL A NEW ACTIVE DIRECTORY FOREST IN WINDOWS AZURE:
http://www.windowsazure.com/en-us/manage/services/networking/active-directory-forest/
38
GUIDELINES FOR DEPLOYING WINDOWS SERVER ACTIVE DIRECTORY ON WINDOWS AZURE VIRTUAL MACHINES: http://msdn.microsoft.com/en-
us/library/windowsazure/jj156090
39
VIRTUAL MACHINES PRICING DETAILS: http://azure.microsoft.com/en-us/pricing/details/virtual-machines/
40
AZURE PRICING CALCULATOR: http://azure.microsoft.com/en-us/pricing/calculator/?scenario=virtual-machines
41
FREE ONE MONTH TRIAL: http://azure.microsoft.com/en-us/pricing/free-trial/
42
AZURE BENEFIT FOR MSDN SUBSCRIBERS: http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
43
Windows Azure account portal: https://account.windowsazure.com/Subscriptions
44
Windows Azure Downloads: http://go.microsoft.com/fwlink/?LinkID=294711
PS C:\> Add-AzureAccount
4. Type the email address and click Continue. You’re redirected to a Sign In page
5. Type the password associated with your account and click Sign in.
7. Once connected to your default subscription, you can use the built-in Help system to list and get
help about the cmdlets in the Azure PowerShell module. To list the available cmdlets, run the
following command:
You can then display help about a specific cmdlet by typing help followed by the name of the
cmdlet, for example “help New-AzureVM”.
Note For more information about the cmdlets in the Azure PowerShell module, see the Microsoft MSDN
article WINDOWS AZURE MANAGEMENT CMDLETS47.
PS C:\> Get-ExecutionPolicy
2. If the value returned is anything other than RemoteSigned, you need to change the value to
RemoteSigned.
Note A digital signature is required from a trusted publisher on scripts and configuration files that are
downloaded from the Internet (including email and instant messaging programs) so that they can run. However,
a digital signature isn’t required on scripts that you have written on the local computer (not downloaded from
the Internet). Finally, you can run scripts that are downloaded from the Internet and not signed, if the scripts are
unblocked, such as by using the Unblock-File cmdlet. For more information, see the Microsoft TechNet article
ABOUT_EXECUTION_POLICIES.48.
2. If the WinRM service isn’t running, start it with the following command:
4. In the results, look for the value “Basic =”. If the value is “Basic = false”, you must change the
value to “Basic = true”.
If the value has to be changed, run the following command:
The value between the braces { } is case-sensitive. In the command output, verify the value “Basic
= true”.
5. If you started the WinRM service in step 2, run the following command to stop it:
You are now ready to setup the Windows Server 2012 R2 Base Configuration needed for the test
lab.
This is the purpose of the next section.
Important note Individual virtual machines (VMs) are needed to separate the services provided on the
network and to clearly show the desired functionality. This being said, the suggested configuration to later
evaluate the Mobile Device Extension for AD RMS is neither designed to reflect best practices nor does it reflect a
desired or recommended configuration for a production network. The configuration, including IP addresses and
all other configuration parameters, is designed only to work on a separate test lab networking environment.
Any modifications that you make to the configuration details provided in the rest of this document may affect or
limit your chances of successfully setting up the on-premises test lab environment. We recommend following this
guide as-is first to familiarize yourself with the steps involved, before attempting a deployment on an
environment with a different configuration.
In order to complete the document’s walkthrough, you need an environment that consists of the following
components for the Azure-based test lab infrastructure:
One Azure virtual machine running Windows Server 2012 R2 (named DC1) that is configured as a
domain controller with a test user and group accounts, and Domain Name System (DNS) server.
One Azure virtual machine running Windows Server 2012 R2 (named ADFS1) that is configured as
an enterprise root certification authority and as an AD FS federation server.
One Azure virtual machine running Windows Server 2012 R2 (named ADRMS1) that is configured
as an AD RMS cluster.
Note For more information about the system requirements for installing AD RMS, see the Microsoft
TechNet article PRE-INSTALLATION INFORMATION FOR ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES49.
One Azure virtual machine running Windows Server 2012 R2 (named SQL1) that is configured as a
SQL Server 2012 computer, which will be used to support the AD RMS configuration and logging
databases.
Important note The Mobile Device Extension for AD RMS requires that the AD RMS deployment uses a full
Microsoft SQL Server-based database on a separate server and not the Windows Internal Database that is often
used for testing on the same server.
One Azure virtual machine running Windows Server 2012 R2 (named EDGE1) that is configured as
a Web server.
49
PRE-INSTALLATION INFORMATION FOR ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES: http://go.microsoft.com/fwlink/?LinkId=84733)
Note Windows Server 2012 R2 offers businesses and hosting providers a scalable, dynamic, and
multitenant-aware infrastructure that is optimized for the cloud. For more information, see the Microsoft
TechNet Windows Server 2012 R2 homepage53.
Note You must be logged on as a member of the Domain Admins group or a member of the
Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a
task while you are logged on with an account that is a member of the Administrators group, try performing the
task while you are logged on with an account that is a member of the Domain Admins group.
Create snapshots so that you can easily return to a desired configuration for further learning and
experimentation.
For that purpose, these VMs notably expose one public endpoint for Remote Desktop Protocol (RDP) and
another one for remote Windows PowerShell (WinRMHTTPS) as illustrated hereafter.
50
AD RMS PREREQUISITES: http://technet.microsoft.com/library/dd772659(v=WS.10).aspx
51
AD RMS PERFORMANCE AND LOGGING BEST PRACTICES: http://technet.microsoft.com/library/dd941633(v=ws.10).aspx
52
AD RMS ARCHITECTURE DESIGN AND SECURE COLLABORATION SCENARIOS: http://technet.microsoft.com/library/dd941633(v=ws.10).aspx
53
WINDOWS SERVER 2012 R2: http://technet.microsoft.com/en-US/windowsserver/hh534429
Important Note Azure assigns IP addresses dynamically, which may seem inconvenient when you have the
habit to set static IP addresses, especially for domain controllers. More specifically, static IP addresses are NOT
supported. For more information, see section IP Addressing and DNS54 of the MSDN article GUIDELINES FOR
DEPLOYING WINDOWS SERVER ACTIVE DIRECTORY ON WINDOWS AZURE VIRTUAL MACHINES.
Within a subnet, the first 3 addresses are reserved and, in the case of Subnet2 above, the first address that is
assigned by the Azure DHCP will be 10.0.2.4. However, it is guaranteed that the first address will remain constant,
which is not the case for the addresses that belong to the rest of the range. Such a behavior must be taken into
account if you want that a specific VM will have the same IP address allocated over the time, which will be the
case of our domain controller DC1 that will also host the DNS server for the test lab environment.
For illustration purposes, we have opted to configure the domain litware369.com (LITWARE369).
Since the lab depends on you using a unique name for your domain, you will have to choose a
domain name of your own. For checking purposes, you can use the domain search capability provided
by popular domain name registrars. Alternatively, you can use a subdomain of a domain you already
control in lieu of Litware369.com.
Whenever a reference to litware369.com is made in a procedure, it has to be replaced by the DNS
domain name of your choice to reflect accordingly the change in naming. Likewise, any reference to
LITWARE369 should be substituted by the NETBIOS domain name of your choice.
Furthermore, for the sake of simplicity, the same password “pass@word1” is used throughout the
procedures of the above TLGs as well as the ones detailed in this document. This is neither mandatory
nor recommended in a real world scenario.
To perform all the tasks in this guide, we will use the LITWARE369 domain Administrator account
AzureAdmin for each Windows Server 2012 R2 Azure VM, unless instructed otherwise.
Note When you configure Windows Server 2012 R2, you are required to click Continue or Yes in the User
Account Control (UAC) dialog box for some tasks. Several of the configuration tasks require UAC approval.
When you are prompted, always click Continue or Yes to authorize these changes. Alternatively, see the
Appendix of this guide for instructions about how to set the UAC behavior of the elevation prompt for
administrators.
The following five steps must be followed in order to set up the on-premises core infrastructure of our test
lab:
1. Deploying the base workloads in Azure.
54
GUIDELINES FOR DEPLOYING WINDOWS SERVER ACTIVE DIRECTORY ON WINDOWS AZURE VIRTUAL MACHINES:
http://msdn.microsoft.com/en-us/library/windowsazure/jj156090.aspx
Note The script New-TestLabEnvironment.ps1 is largely inspired by the sample script DEPLOY A DOMAIN
CONTROLLER AND MEMBER USING WINDOWS AZURE VIRTUAL MACHINES56 available on the Microsoft TechNet Script
Center57.
Note The script Remove-TestLabEnvironment.ps158 enables you to later seamlessly remove the test lab
environment from your Azure subscription. Its usage is not covered in this paper since its arguments are almost
the same as the ones used by the above script.
2. Open an Azure PowerShell command prompt and navigate to the folder where the above script is
located, for example C:\Scripts in our illustration.
3. Run the following command to connect to your subscription:
PS C:\Scripts> Add-AzureAccount
55
New-TestLabEnvironment.ps1: http://www.microsoft.com/en-us/download/details.aspx?id=36391
56
DEPLOY A DOMAIN CONTROLLER AND MEMBER USING WINDOWS AZURE VIRTUAL MACHINES:
http://gallery.technet.microsoft.com/scriptcenter/Deploy-a-domain-controller-2ab7d658
57
Script resources for IT professionals: http://gallery.technet.microsoft.com/scriptcenter
58
Remove-TestLabEnvironment.ps1: http://www.microsoft.com/en-us/download/details.aspx?id=36391
4. Enter your email address and click Continue. You’re redirected to a Sign In page.
5. Type the password associated with your account for your Azure (trial) subscription and click Sign
in. You should now be connected to your default subscription.
6. Run the following command to deploy the base workloads in your subscription:
7. The script New-TestLabEnvironment.ps1 proceeds with the setup and will prompt you to gather
the administrator credentials to use when provisioning the aforementioned VMs. A Windows
PowerShell credential required dialog brings up.
8. Provide the administrator credentials you want to use. We will use throughout this walkthrough
“AzureAdmin” for the username and “pass@word1” for the password.
AD DS
DNS
IIS
DC1 SQL1
HttpsIn
IP: 10.0.2.4 IP: 10.0.2.6
IIS IIS
EDGE1 AD CS AD RMS
IP: 10.0.1.4
ADFS1 ADRMS1
IP: 10.0.2.5 IP: 10.0.2.7
VNET: mfalabvnet
Note To learn about the Windows PowerShell command line and scripting environment, see the TechNet
Script Center59.
Note For information about installing, learning, using, and customizing Windows PowerShell, see the
Microsoft TechNet article Scripting with Windows PowerShell60.
Note For information about what scripts are and how to run them in Windows PowerShell, see the
Microsoft TechNet article RUNNING SCRIPTS61. This article includes basic information about creating scripts and
configuring your computer to run scripts.
Note For information on Windows Server Automation with Windows PowerShell, see the eponym
Microsoft TechNet article62. This article provides references to install and configure the various role services.
If needed to accommodate your own configuration, the script New-TestLabEnvironment.ps1 enables you to
customize the VNET and VM details:
At the end of the script, you should have an up and running base configuration that we will
leverage in the next steps. The next sections imply that you have in place such an environment.
59
TechNet Script Center: http://go.microsoft.com/fwlink/p/?linkid=320211&clcid=0x409
60
SCRIPTING WITH WINDOWS POWERSHELL: http://go.microsoft.com/fwlink/p/?linkid=320210&clcid=0x409
61
RUNNING SCRIPTS: http://go.microsoft.com/fwlink/p/?linkid=320627&clcid=0x409
62
WINDOWS AND WINDOWS SERVER AUTOMATION WITH WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/dn249523.aspx
4. On the virtual machine page, at the top, ensure VIRTUAL MACHINE INSTANCES is selected.
5. Select the dc1 machine and click CONNECT at the tray of the bottom.
7. Check Don’t ask me again for connections to this computer and click Connect.
8. A Windows Security dialog brings up.
9. Log on as LITWARE369\AzureAdmin with “pass@word1” as password.
11. Check Don’t ask me again for connections to this computer and click Yes.
The connection is then established to the remote desktop.
To configure the DNS server to use the root hints, proceed with the following steps:
1. Open a Windows PowerShell command prompt, and run the following command to start the DNS
Manager console:
PS C:\Users\AzureAdmin> dnsmgmt.msc
PS C:\Users\AzureAdmin>
. completed successfully.
Raw Flags ResultCode NoTcp RTT IP Address
---------------------------------------------------------------------------
00001000 0 Success 0 10 192.5.5.241
Command completed successfully.
PS C:\Users\AzureAdmin>
Important note If the DNS resolution of the AD FS service endpoint is performed through CNAME record
lookup instead of through an A record lookup, you will be repeatedly prompted for credentials later in this lab
during sing-in.
Note For more information on the DNS cmdlets, see the Microsoft TechNet article DOMAIN NAME SYSTEM
(DNS) SERVER CMDLETS IN WINDOWS POWERSHELL64.
PS C:\users\AzureAdmin>
PS C:\users\AzureAdmin>
Note For more information, see the blog post NEW FEATURES IN ACTIVE DIRECTORY DOMAIN SERVICES IN
WINDOWS SERVER 2012, PART 8: GROUP MSAS (GMSAS)65.
64
DOMAIN NAME SYSTEM (DNS) SERVER CMDLETS IN WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/jj649850.aspx
65
NEW FEATURES IN ACTIVE DIRECTORY DOMAIN SERVICES IN WINDOWS SERVER 2012, PART 8: GROUP MSAS (GMSAS):
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/04/new-features-in-active-directory-domain-services-in-
windows-server-2012-part-8-group-msas-gmsas.aspx
PS C:\users\AzureAdmin> Get-KdsRootKey
PS C:\users\AzureAdmin>
2. If it has not been created (the output displays no information), run the following command to
create the key:
Guid
----
7d5decb2-6c35-2b0c-6286-8055e413f2a5
PS C:\users\AzureAdmin>
Note For more information, see the Microsoft TechNet article KEY DISTRIBUTION SERVICE (KDS) IN WINDOWS
POWERSHELL66.
PS C:\users\AzureAdmin>
66
KEY DISTRIBUTION SERVICE (KDS) IN WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/jj852115.aspx
ADRMSSVC ADRMSSVC
Robert Hatley RobertH roberth@litware369.com Employees, Finance
Janet Schorr JanetS janets@litware369.com Employees, Marketing
Stuart Railson StuartR stuartr@litware369.com Employees, Engineering
These user accounts and groups are used to complete the walkthroughs later in this document.
To create the above user accounts, open an elevated Windows PowerShell command prompt, and run the
following command. All the user accounts will use the password: “pass@word1”:
PS C:\users\AzureAdmin> New-ADUser –Name "Robert Hatley" -SamAccountName "roberth" -DisplayName "Robert Hatley" -
AccountPassword (ConvertTo-SecureString “pass@word1” -AsPlainText –Force) -ChangePasswordAtLogon $false -
PasswordNeverExpires $true -Enabled $true -UserPrincipalName “roberth@litware369.com" -EmailAddress
“roberth@litware369.com" -GivenName "Hatley" -Surname "Robert"
PS C:\users\AzureAdmin> New-ADUser –Name "Janet Schorr" -SamAccountName "janets" -DisplayName "Janet Schorr" -
AccountPassword (ConvertTo-SecureString “pass@word1” -AsPlainText –Force) -ChangePasswordAtLogon $false -
PasswordNeverExpires $true -Enabled $true -UserPrincipalName “janets@litware369.com" -EmailAddress “janets@litware369.com"
-GivenName "Schorr" -Surname "Janet"
PS C:\users\AzureAdmin> New-ADUser –Name "Stuart Schorr" -SamAccountName "stuartr" -DisplayName "Stuart Railson" -
AccountPassword (ConvertTo-SecureString “pass@word1” -AsPlainText –Force) -ChangePasswordAtLogon $false -
PasswordNeverExpires $true -Enabled $true -UserPrincipalName “stuart@litware369.com" -EmailAddress “stuart@litware369.com"
-GivenName "Railson" -Surname "Stuart"
PS C:\users\AzureAdmin>
We now need to create some additional AD groups to assign users. The following table lists the groups
that we need to create at this time.
Finance finance@litware369.com
Marketing marketing@litware369.com
Engineering engineering@litware369.com
Employees employees@litware369.com
PS C:\users\AzureAdmin> New-ADGroup -Name Finance -SamAccountName Finance -GroupCategory Security -GroupScope Universal
PS C:\users\AzureAdmin>
PS C:\users\AzureAdmin>
3. Run the following command to add the user accounts to their appropriate groups:
PS C:\users\AzureAdmin>
PS C:\users\AzureAdmin> gpmc.msc
PS C:\users\AzureAdmin>
2. Double-click the name of the forest, double-click Domains, and double-click the name of the
domain.
3. Right-click Default Domain Policy, and then click Edit. A Group Policy Management Editor
window pops up.
6. Check Define these policy settings, and then click Add User or Group. An Add User or Group
dialog brings up.
7. Click Browse to locate the account with the Select Users, Computers, or Groups dialog.
5. In the details pane of the Certificate Templates console, right-click the Web Server template and
then click Duplicate Template. A Properties of New Template dialog brings up.
9. We must ensure the domain computer accounts will have the ability to enroll for the template. To
do so, click Add. A Select Users, Computers, Services Accounts, or Groups dialog brings up.
11. Under Template display name, type a name that you want to use for the template, for example,
“SSL Certificates” in our configuration.
12. Click OK.
13. Close the Certificate Templates console and return to the Certificate Authority console.
14. In the console tree of the Certification Authority console, right-click Certificate Templates, click
New, and then click Certificate Template to Issue. An Enable Certificate Templates dialog
brings up.
15. In the Enable Certificate Templates dialog, select the new certificate template that you just
configured (SSL Certificates) and then click OK.
Note For more information, see the Microsoft TechNet article WINDOWS SERVER 2012 R2 AD FS DEPLOYMENT
GUIDE67.
Important note You must have domain administrator permissions to deploy the AD FS role.
Note For more information about setting up SSL/TLS certificates, see the Microsoft TechNet Wiki article
CONFIGURE SSL/TLS ON A WEB SITE IN THE DOMAIN WITH AN ENTERPRISE CA68.
PS C:\users\AzureAdmin.LITWARE369>
67
WINDOWS SERVER 2012 R2 AD FS DEPLOYMENT GUIDE: http://technet.microsoft.com/en-us/library/dn486820.aspx
68
CONFIGURE SSL/TLS ON A WEB SITE IN THE DOMAIN WITH AN ENTERPRISE CA:
http://social.technet.microsoft.com/wiki/contents/articles/12485.configure-ssltls-on-a-web-site-in-the-domain-with-an-enterprise-
ca.aspx
Note For more information, see the Microsoft TechNet article AD CS ADMINISTRATION CMDLETS IN WINDOWS
POWERSHELL69.
3. The SSL certificate should now be imported into the Local Computer\My Store on the ADFS1
computer. Verify whether the SSL certificate has been imported by running the following
command:
Thumbprint Subject
---------- -------
F1DF749C3D84DFF8BE9DED211145C53F2F06D83D CN=mfalabsvc.cloudapp.net
DD6F97EAF0CE4FDB039036199136752F62C8E027 CN=litware369-ADFS1-CA, DC=litware369, DC=com
59D4CFDD539CB616B5608A555E115824BAF14E77 CN=WMSvc-ADFS1
044F380EE49583536012D77D940ACEBBCAC05B86 CN=adfs.litware369.com
PS C:\users\AzureAdmin.LITWARE369>
The certificates are listed by their thumbprint in the Local Computer\My Store. We will be later
interested in the thumbprint of the newly issued certificate, i.e. the one whose CN equals
adfs.litware369.com, for example in our configuration:
044F380EE49583536012D77D940ACEBBCAC05B86.
69
AD CS ADMINISTRATION CMDLETS IN WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/hh848365.aspx
PS C:\Users\AzureAdmin.LITWARE369>
2. Run the following commands to create a Windows Internal Database (WID) along with the
required gMSA account:
PS C:\Users\AzureAdmin.LITWARE369>
Important note The ‘$’ at the end of the gMSA account is required.
PS C:\Users\AzureAdmin.LITWARE369>
In addition, we need to add our test user accounts to the local group Remote Desktop Users so that they
can open a remote desktop session on the virtual machine in Azure.
To add the test user accounts to the local group Remote Desktop Users, proceed with the following
steps:
1. Open an elevated Windows PowerShell command prompt, and run the following command to add
Janet Schorr to the local group:
PS C:\users\AzureAdmin.LITWARE369>
2. Run the following command to add Robert Hatley to the local group:
PS C:\users\AzureAdmin.LITWARE369>
5. In Add this website to the zone, type “https://adfs.litware369.com”, and then click Add. You
should replace litware369.com by your own domain as already mentioned.
6. Click Close, and then click OK.
7. Verify that the security level for the zone is set to the default setting of Medium-low which
enables Windows integrated authentication for Intranet zones.
8. Click OK to close the Internet Options dialog.
To verify that a federation server on ADFS1 is operational, proceed with the following steps:
1. Open a browsing session on ADFS1 and navigate to the federation service metadata endpoint, for
example, in our configuration:
2. You can alternatively navigate to the metadata exchange endpoint, which offers an XML service
description:
https://adfs.litware369.com/adfs/services/trust/mex
Click Sign in to verify that the user is successfully and seamlessly authenticated thanks to the
Windows Integrated Authentication. You shouldn’t see any Windows Security dialog if AD FS has
been properly configured.
PS C:\users\AzureAdmin.LITWARE369>
Note If you haven’t previously configured a new certificate template (e.g. the SSL certificates in our
configuration), you can use the WebServer certificate template in lieu of in the above command.
PS C:\users\AzureAdmin.LITWARE369> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
PS C:\users\AzureAdmin.LITWARE369>
PS C:\Users\AzureAdmin.LITWARE369>
3. Open a browsing session and navigate to the default web site at https://www.litware369.com:
Note For more information, see the Microsoft TechNet article WEB APPLICATION PROXY OVERVIEW70 as well as
the section DEPLOYING FEDERATION SERVER PROXIES71 of the WINDOWS SERVER 2012 R2 AD FS DEPLOYMENT GUIDE also
available on Microsoft TechNet.
To install and configure the Web Application Proxy role service, proceed with the following steps:
1. Open an elevated Windows PowerShell command prompt if none, and run the following
command:
PS C:\Users\AzureAdmin.LITWARE369>
2. Run the following command to collect the credential of the LITWARE369\AzureAdmin user:
70
WEB APPLICATION PROXY OVERVIEW: http://technet.microsoft.com/en-us/library/dn280944.aspx
71
DEPLOYING A FEDERATION SERVER FARM: http://technet.microsoft.com/en-us/library/dn486775.aspx
3. Run the following commands to install and configure the Web Application Proxy (WAP):
PS C:\Users\AzureAdmin.LITWARE369>
Note For more information, see the Microsoft TechNet article WEB APPLICATION PROXY CMDLETS IN WINDOWS
POWERSHELL72.
To verify that you can successfully authenticate against the federation server on the Internet, proceed with
the following steps:
1. Open a browsing session on your local computer and navigate to the AD FS sign-in page, for
example in our configuration:
https://adfs.litware369.com/adfs/ls/idpinitiatedsignon.htm
Note If the SSL certificate used in the configuration has not been issued by a public certification authority,
you will need to add the test lab certification authority Litware369-ADFS1-CA root certificate to the trusted root
certification authorities of your user’s store.
As before, this displays the AD FS sign-in page where you can sign in with the domain credentials.
72
WEB APPLICATION PROXY CMDLETS IN WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/dn283404.aspx
Next, we will continue working on SQL1 using SQL Server Management Studio and other administrative
tools to make some configuration changes to support SQL Server access before we install AD RMS later in
this document. First, the LITWARE369\AzureAdmin account needs to be given sysadmin rights on the SQL
Server instance in order to be able to create the AD RMS databases during AD RMS setup.
4. Type in the following command to open SQL Server Management Studio and then click OK:
9. For Login Name, click Search. A Select User or Group dialog pops up.
10. In Enter the object name to select, type “LITWARE369\AzureAdmin” and then click Check
Names. A Windows Security dialog pops up.
Services.msc
4. In SQL Server Browser Properties, for Startup type, select Automatic and then click Apply.
5. Click Start to start the SQL Server Browser service.
6. Click OK and then close the Services console.
Name : {82a6cf85-72ef-4322-aa0d-50481e278878}
DisplayName : SQL Server
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
PS C:\Users\AzureAdmin.LITWARE369>
The forthcoming configuration of the AD RMS cluster can use Microsoft SQL Server 2012.
Important note You must have domain administrator permissions to deploy the AD RMS role.
PS C:\users\AzureAdmin.LITWARE369>
Note If you have not configured a new certificate template (e.g. the SSLCertificates in our configuration),
you can use the WebServer certificate template in lieu of in the above command.
PS C:\users\AzureAdmin.LITWARE369> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
PS C:\users\AzureAdmin.LITWARE369>
2. Run the following commands to associate the imported SSL certificate to the newly created SSL
binding:
PS C:\Users\AzureAdmin.LITWARE369>
3. Open a browsing session and navigate to the default web site at https://adrms.litware369.com.
Install-WindowsFeature NET-Framework-Core
Additional configuration is now required to deploy the AD RMS server role. The AD RMS server role in
Windows Server 2012 R2 is manageable by two sets of Windows PowerShell cmdlets. One set
(AdRmsInstall) assists in deploying and configuring AD RMS, and the second set (AdRmsAdmin) can be
later used to administer an AD RMS cluster.
To run these two set of cmdlets, you need to import these modules:
After the modules are imported, you can manage and administer AD RMS installations and components
through Windows PowerShell.
Note For additional information, you can refer to the Microsoft TechNet articles AD RMS CMDLETS IN
WINDOWS POWERSHELL73 and USING WINDOWS POWERSHELL TO DEPLOY AD RMS74.
73
AD RMS CMDLETS IN WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/ee617271
74
USING WINDOWS POWERSHELL TO DEPLOY AD RMS: http://go.microsoft.com/fwlink/?LinkId=136806
1. Open an elevated Windows PowerShell command prompt if none, and run the following
command to import the AdRmsInstall set of Windows PowerShell cmdlets:
PS C:\Users\AzureAdmin.LITWARE369>
2. Run the following command to create a Windows PowerShell drive to represent the server we are
provisioning:
PS C:\Users\AzureAdmin.LITWARE369>
At this stage, we can now set properties on objects in the drive namespace RC:\ that represent
required configuration settings. Setting properties on objects in the drive namespace is similar to
using a wizard to specify configuration settings when installing a server role.
3. Run the following command to configure the AD RMS server to use the SQL1 server and the
default instance:
WARNING: Verifying the specified database information. This may take a few minutes.
PS C:\Users\AzureAdmin.LITWARE369>
75
INSTALLING AN AD RMS CLUSTER: http://technet.microsoft.com/en-us/library/ee221041(v=ws.10).aspx
76
JOINING AN EXISTING CLUSTER: h http://technet.microsoft.com/en-us/library/ee221028(v=ws.10).aspx
PS C:\Users\AzureAdmin.LITWARE369>
When prompted, enter the following credential in the dialog below and click OK:
Username: LITWARE369\ADRMSSVC
Password: pass@word1
5. Run the following command to securely store the cluster key password string in a variable and
assign it to the AD RMS installation:
ClusterPassword:: **********
PS C:\Users\AzureAdmin.LITWARE369>
Note We choose to protect the AD RMS cluster key by using this option because it simplifies the
configuration and does not require additional components. However, you should normally provide the best
protection for this key through hardware Cryptographic Security Provider (CSP) for a HSM.
PS C:\Users\AzureAdmin.LITWARE369>
Note As a security best practice, the AD RMS cluster should be provisioned by using an SSL/TLS-
encrypted connection. You should be using a certificate provided by a third-party public certification authority
(CA) so that it can be automatically trusted by all parties. This certificate should already be installed on the server
so that you can select it as you proceed through the installation.
7. Run the following command to set the SLC name for the AD RMS installation:
PS C:\Users\AzureAdmin.LITWARE369>
PS C:\Users\AzureAdmin.LITWARE369>
Note As noticed before, the service connection point (SCP) is an object in the Active Directory
configuration partition that holds the Web address of the AD RMS cluster. As depicted at the beginning of this
document, this object is not used by the Mobile Device Extension. The Mobile Device Extension rather relies on a
DNS-based service discovery mechanism. However, since such an object is typically registered in AD RMS
deployment, we will do the same here.
Only one SCP can exist in your Active Directory forest. If you try to install an AD RMS cluster and an SCP already
exists in your forest from a previous AD RMS installation (attempt) that was not properly de-provisioned, the new
SCP will not install properly. It must be removed before you can establish the new SCP. You can remove an SCP
by using the ADScpRegister.exe tool included in the Rights Management Services Administration Toolkit with
SP2 available for download on the Microsoft Download Center 77.
77
Rights Management Services Administration Toolkit with SP2: http://www.microsoft.com/downloads/details.aspx?
familyid=BAE62CFC-D5A7-46D2-9063-0F6885C26B98&displaylang=en
PS C:\Users\AzureAdmin.LITWARE369>
When prompted to confirm the installation and the configuration of AD RMS on the computer,
type “Y” and press ENTER.
In addition to installing the AD RMS server role and provisioning the server, this cmdlet also
installs if necessary any other features required by AD RMS like Message Queuing to end the logs
to the database server.
Note Additional details can be found in the Microsoft TechNet articles USING WINDOWS POWERSHELL TO
ADMINISTER AD RMS78 and CONFIGURING AD RMS CLUSTER PROPERTIES79.
PS C:\Users\AzureAdmin.LITWARE369>
3. Run the following command to create a Windows PowerShell drive that represents the newly
installed cluster hosted by the local computer ADRMS1:
Security Alert
Information you exchange with this site cannot be viewed or changed by others. However, there are the following
problems with the site's security certificate:
The name of the security certificate is not valid or does not match the name of the site.
Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\Users\AzureAdmin.LITWARE369>
PS C:\Users\AzureAdmin.LITWARE369>
78
USING WINDOWS POWERSHELL TO ADMINISTER AD RMS: http://technet.microsoft.com/en-us/library/ee221079(v=ws.10).aspx
79
CONFIGURING AD RMS CLUSTER PROPERTIES: http://technet.microsoft.com/en-us/library/ee221079(v=ws.10).aspx
From the console, you can configure trust policies, configure exclusion policies, and create rights policy
templates.
The base configuration is now complete with all the dependencies in place for the Mobile Device
Extension.
4. Click YES. Once all the allocated resources will be deallocated, the status of the VMs will then
change to Stopped (Deallocated).
To resume working on the test lab, you will then need to start in order the DC1 computer, then the ADFS1
computer, the SQL1 computer, the ADRMS1 computer, and finally EDGE1.
To start the VMs of the test lab environment, proceed with the following steps:
1. From within the Azure management portal, select VIRTUAL MACHINES on the left pane.
2. Under VIRTUAL MACHINE INSTANCES, select dc1 and then click START at the tray of the
bottom.
3. Click dc1, and then select DASHBOARD.
Note For the purpose of this document, it leverages the Microsoft TechNet article ACTIVE DIRECTORY RIGHTS
MANAGEMENT SERVICES MOBILE DEVICE EXTENSION80.
2. An authorization rule that permits the issuance of the above claims for all users.
To automatically configure AD FS in accordance, proceed with the following steps:
1. Open a remote desktop connection on the ADFS1 computer as LITWARE369\AzureAdmin with
“pass@word1” as password.
80
ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES MOBILE DEVICE EXTENSION:
http://technet.microsoft.com/en-us/library/dn673574(v=ws.10).aspx
# This Script Configures the Microsoft Rights Management Mobile Device Extension and Claims used in the ADFS Server
# Check if Microsoft Rights Management Mobile Device Extension is configured on the Server
$CheckifConfigured = Get-AdfsRelyingPartyTrust -Identifier "api.rms.rest.com"
if ($CheckifConfigured)
{
Write-Host "api.rms.rest.com Identifer used for Microsoft Rights Management Mobile Device Extension is already configured
on this Server"
Write-Host $CheckifConfigured
}
else
{
Write-Host "Configuring Microsoft Rights Management Mobile Device Extension "
@RuleTemplate = "PassThroughClaims"
@RuleName = "JWT pass through"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(claim = c);
@RuleTemplate = "PassThroughClaims"
@RuleName = "JWT pass through"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(claim = c);
@RuleTemplate = "PassThroughClaims"
@RuleName = "JWT pass through Proxy addresses"
c:[Type == "http://schemas.xmlsoap.org/claims/ProxyAddresses"]
=> issue(claim = c);
"@
# Add a Relying Part Truest with Name -"Microsoft Rights Management Mobile Device Extension" Identifier "api.rms.rest.com"
Add-ADFSRelyingPartyTrust -Name "Microsoft Rights Management Mobile Device Extension" -Identifier "api.rms.rest.com" -
IssuanceTransformRules $TransformRules -IssuanceAuthorizationRules $AuthorizationRules
81
Add-AdfsRelyingPartyTrust4TestLabEnvironment.ps1: http://www.microsoft.com/en-us/download/details.aspx?id=36391
82
ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES MOBILE DEVICE EXTENSION:
http://technet.microsoft.com/en-us/library/dn673574(v=ws.10).aspx
PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop
PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\Add-AdfsRelyingPartyTrust4TestLabEnvironment.ps1
PS C:\Users\AzureAdmin.LITWARE369
PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for Android" -ClientId "ECAD3080-3AE9-
4782-B763-2DF1B1373B3A" -RedirectUri @("com.microsoft.rms-sharing-for-android://authorize")
PS C:\users\AzureAdmin.litware369\Desktop>
PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for iOS" -ClientId "9D7590FB-9536-4D87-
B5AA-FAA863DCC3AB" -RedirectUri @("com.microsoft.rms-sharing-for-ios://authorize")
PS C:\users\AzureAdmin.litware369\Desktop>
PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for OSX" -ClientId "96731E97-2204-4D74-
BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for-osx://authorize")
PS C:\users\AzureAdmin.litware369\Desktop>
PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for WindowsPhone" -ClientId "6507DFAF-
F19E-47C6-82C3-08AFEE79D74E" -RedirectUri @("com.microsoft.rms-sharing-for-wp://authorize")
PS C:\users\AzureAdmin.litware369\Desktop>
PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for Windows RT" -ClientId "D27EA168-C4FE-
41E7-8876-B47FF6376003" -RedirectUri @("com.microsoft.rms-sharing-for-WinRT://authorize")
PS C:\users\AzureAdmin.litware369\Desktop>
Note In order to allow access from OAuth 2.0 clients to REST resources secured by AD FS, the app have to
be pre-registered with AD FS by using the cmdlet Add-AdfsClient83. AD FS will not allow access to a REST resource
to clients that specify a client identifier or redirection URI that are not registered with AD FS. For additional
information, see the Microsoft MDSN article DEVELOPING MODERN APPLICATIONS USING OAUTH AND ACTIVE DIRECTORY
FEDERATION SERVICES84.
83
ADD-ADFSCLIENT: http://technet.microsoft.com/en-us/library/dn479319.aspx
84
DEVELOPING MODERN APPLICATIONS USING OAUTH AND ACTIVE DIRECTORY FEDERATION SERVICES:
http://msdn.microsoft.com/en-us/library/dn633593.aspx
Domain _tcp.litware369.com
Service _rmsdisco
Protocol _http
Priority 0
Weight 0
Port number 443
Host offering this service adrms.litware369.com
As far as the latter is concerned, in the chosen test topology for our test lab, i.e. a single cluster in a single
forest, only one DNS SRV record must be created for the AD RMS cluster adrms.litware369.com, pointing
to the same cluster. This record has the following value:
_rmsdisco._http._tcp.adrms.litware369.com 443 adrms.litware369.com
The following table can be used as a guide for the SRV record properties:
Field Value
Domain _tcp.adrms.litware369.com
Service _rmsdisco
Protocol _http
Priority 0
Weight 0
Port number 443
Host offering this service adrms.litware369.com
3. On the Products tab, at the end of the DOMAINS row, click Launch.
4. On the Domains page, find the domain name in which the service discovery records should be
added, in our case litware369.com.
5. Click the domain name, in our case LITWARE369.COM. The Domain Details page opens in a new
tab in your browser.
8. Click the down arrow for the Record type: box and select SRV (Services). The Add DNS Record
dialog displays the related fields.
13. Click Save Changes to save your two new SRV records
14. Scroll down to the SRV (Service). You should see the two newly added SRV records.
Address: 209.244.0.3
litware369.com
primary name server = ns09.domaincontrol.com
responsible mail addr = dns.jomax.net
serial = 2014073101
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 600 (10 mins)
PS C:\Users\AzureAdmin.LITWARE369>
Note You can specify one of the name server of your DNS zone instead of the external DNS server used
above (209.244.0.3). In our illustration with GoDaddy.com, see the article FINDING YOUR HOSTING ACCOUNT'S NAME
SERVERS85 to determine the name servers. For our litware369.com zone, the name servers are
ns09.domaincontrol.com (216.69.185.5) and ns10.domaincontrol.com (208.109.255.5).
If you see the SRV entry, you can continue with the deployment of the Mobile Device Extension. The
Azure-based test lab environment uses a split brain DNS configuration. Thus, the above records enables a
correct resolution whatever network the device is connected to.
For organization that do not use such a DNS configuration, the optional next section illustrates how to
locally declare these records.
PS C:\users\AzureAdmin>
3. Run the following command to add the second service discovery record
_rmsdisco._http._tcp.adrms.litware369.com 443 adrms.litware369.com:
PS C:\users\AzureAdmin>
85
FINDING YOUR HOSTING ACCOUNT'S NAME SERVERS: http://support.godaddy.com/help/article/6795
PS C:\Users\AzureAdmin.LITWARE369>
1. From the previous remote desktop connection, open a command prompt, navigate to the location
of the .exe file, and run the following command to start the setup:
PS C:\Users\AzureAdmin.LITWARE369> cd Downloads
PS C:\Users\AzureAdmin.LITWARE369\Downloads> .\ADRMS.MobileDeviceExtension.exe
The Active Directory Rights Management Services Mobile Device Extension Setup Wizard
pops up.
2. Click Next.
3. Check I accept the terms in the License Agreement and click Next.
5. Click Install.
Since the AD RMS server is published through WAP, in addition to publishing the /_wmcs folder to
the Internet, you need to also publish the /my folder, i.e. https:// adrms.litware369.com/my.
As this point, the semi-automated guided construction of the Azure-based test lab environment is
complete.
You may wish to test some content protection scenarios to ensure that the Mobile Device Extension for
AD RMS along w/ all the pre-requisites are correctly configured and worked as expected.
Appendix provides a procedure to create a virtual machine running on Hyper-V on your local Windows
machine to fully emulate such an Android device with an Internet connection.
Turning on logging
If you run into some specifics issues when testing of the Mobile Device Extension, you can turn on logging
and then check the mobile device logs in the AD RMS database.
To turn on logging of the rights management server ADRMS1, proceed with the following steps:
1. Open a remote desktop connection on the ADRMS1 computer as LITWARE369\AzureAdmin with
“pass@word1” as password.
PS C:\Users\AzureAdmin.LITWARE369>
3. Run the following command to create a Windows PowerShell drive that represents the cluster
hosted by the local computer:
PS C:\Users\AzureAdmin.LITWARE369>
At this stage, we can now set properties on objects in the drive namespace AdrmsCluster:\ that
represent the configuration settings.
4. Run the following command to turn on logging:
PS C:\Users\AzureAdmin.LITWARE369>
Note To turn off logging, you simply need to rerun the above command with a value of $false.
UserId nvarchar User who made the request. Their user email janets@litware369.com
address is used to identify the user.
ClientTimeStamp datetime UTC Date and Time in 24H format the trace 2014-07-08 23:19:45.000
entry was written.
Message nvarchar Free form text that contains the message for getAuthInfo: authInfo:
the trace entry. {mAuthServerUrl:https://adfs.
litware369.com/adfs/oauth2/
authorize}
{mResource:api.rms.rest.com}
{mScope:null}
ThreadId int Identifier that can tie the set of operations that 5021
are happening the same thread.
TraceLevel nchar Type of the message of the trace entry. Info
Supported types are
Error
Warning
Info
Verbose
ClientCorrelationId uniqueiden GUID that is common between the RMS client 00000000-0000-0000-0000-
tifier and the server for a given request. This helps in 000000000000
troubleshooting client issues. If the trace entry
is not a call to the server, this is empty.
ClientScenarioId uniqueiden GUID that identifies the client scenario the 6BD8AF07-AE25-41D9-
tifier trace entry was written under. A client scenario AAA2-6641BFF2A1A2
cover zero or more call to the server.
CreateTime datetime UTC Date and Time in 24H format when the 2014-07-08 23:19:48.803
call was served. The source is the local clock on
the server that served the call.
FullClientInformation nvarchar Client side information including the device DevicePlatform=Android;Dev
environment (platform OS and model), the iceModel=Samsung
RMS SDK version, the RMS-enlightened ABC;SDKVersion=4.0;AppNa
application me=SampleApp.exe;AppPubl
isherId=123
UserId nvarchar User who made the request. Their user email janets@litware369.com
address is used to identify the user.
ClientTimeStamp datetime UTC date and time in 24H format the trace 2014-06-27 07:11:28.000
entry was written.
OperationName nvarchar Name of the operation. Operations serve two GetServiceDiscoveryURLs
purposes. Operations can represent client
scenarios, which cover zero or more calls to the
server (like Consume or Protect), and they can
represent a specific call to the server. In the
case it represents a specific call to the server,
the ClientCorrelationId field is set. In the case it
represents a client scenario, the
ClientCorrelationId is empty (See below). In
both cases, the ClientScenarioId field is set.
Latency bigint Time it took to complete the operation in 142
milliseconds.
ClientCorrelationId uniqueiden GUID that is common between RMS client and B079C03D-FD9A-4CE3-
tifier server for a given call. This helps in BA16-4C8745491854
troubleshooting client issues. If the trace entry
is not a call to the server, this is empty.
ClientScenarioId uniqueiden GUID that identifies the client scenario the 6BD8AF07-AE25-41D9-
tifier trace entry was written under. A client scenario AAA2-6641BFF2A1A2
cover zero or more call to the server.
FullClientInformation nvarchar Client side information including the device DevicePlatform=Android;Dev
environment (platform OS and model), the iceModel=Samsung
RMS SDK version, the RMS-enlightened ABC;SDKVersion=4.0;AppNa
application me=SampleApp.exe;AppPubl
isherId=123
NetworkType nvarchar Placeholder for future network information for
the RMS client. This is empty.
CreateTime Datetime UTC Date and Time in 24H format when the 2014-06-27 07:11:18.280
call was served. The source is the local clock on
the server that served the call.
This concludes the guided tour of the Mobile Device Extension for AD RMS.
Note For additional information, see the blog posts CREATING AN ANDROID X86 VIRTUAL MACHINE FOR TESTING
WINDOWS INTUNE AND EMS CAPABILITIES87 and INSTALLING ANDROID-X86 ON HYPER-V WITH WINDOWS 8.1 IN UNDER 5
MINUTES88.
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this
document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
86
Android-x86 Project – Run Android on Your PC: http://www.android-x86.org/
87
CREATING AN ANDROID X86 VIRTUAL MACHINE FOR TESTING WINDOWS INTUNE AND EMS CAPABILITIES:
http://www.theenterprisemobilityguy.com/2014/07/creating-an-android-x86-virtual-machine-for-testing-windows-intune-and-ems-
capabilities-3/
88
INSTALLING ANDROID-X86 ON HYPER-V WITH WINDOWS 8.1 IN UNDER 5 MINUTES: http://www.servethehome.com/installing-android-x86-
hyper-v-windows-8-1/