locked
AD RMS with AD FS not working RRS feed

  • Question

  • Hey all,

    I'm trying to implement a ADRMS+ADFS scenario to connect two forests without any trusts, so they can share protected content.

    I have forest A, with a DC server, a FS server, a RMS server and a client computer.

    In forest B, I have a DC server, that accumulates with FS server, and a client computer.

    The objective is to have protected content created on forest A and consumed in either forest A or forest B.

    I've configured the FS servers as per Microsoft documentation, and I've configured RMS to be Federation aware.

    I've protected a document in forest A, and I've sent it to the client on forest B. However, when client B tries to open it, I get asked for credentials, to access the RMS link /_wmcs/licensing/servicelocator.asmx. At no point I see anything going to either FS server. Even if I input the client B credentials, it keeps popping up.

    I believe that the FS agent on the RMS server is not properly intercepting the request, and forwarding it to the FS server, but I can't quite "prove" it. I can't see anything on the local logs on the RMS server, from either the RMS services or the FS component. The FS servers are both "quiet" and don't seem to have any communication with the client during my tests.

    Also, I'm not really sure about the Federation registry key to input in the client B registry. I've seen two different formats for it: urn:federation:localfsserver and https://localfsserver/adfs/ and I think I've seen https://localfsserver/adfs/ls/ somewhere as well. I'm creating the field in HKLM\Software\Microsoft\MSDRM\FederationHomeRealm.

    There are all 2008 R2 servers, with AD FS 1.0. The clients are Windows 7 with Office 2010.

    Could someone give me a hand with this? I don't know if something needs to be adjusted in the IIS of the RMS server, at it seems that is demanding authentication from the "unknown", forest B client, and that's not exactly the expected behavior in this situation.

    Thanks for your time!

    Cheers,

    Helder

    • Changed type Helder Nascimento Tuesday, October 9, 2012 1:25 PM It is really a question, and not a discussion
    Wednesday, October 3, 2012 2:41 PM

Answers

  • Hi Helder,

    I am sorry to her you are having problems getting AD RMS and AD FS working together. The following blog post has additional tips that might be helpful to you in troubleshooting your issues.

    http://blogs.technet.com/b/rms/archive/2012/04/28/tips-for-troubleshooting-ad-rms-and-ad-fs-integration.aspx

    It also has a link near the bottom of it to where you can download the AD FS Diagnostic Tool, which might have more data on why your AD FS setup is not working as expected.

    HTH,


    Brad Mahugh
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue.


    Monday, April 1, 2013 9:29 PM

All replies

  • Hi Helder,

    I am sorry to her you are having problems getting AD RMS and AD FS working together. The following blog post has additional tips that might be helpful to you in troubleshooting your issues.

    http://blogs.technet.com/b/rms/archive/2012/04/28/tips-for-troubleshooting-ad-rms-and-ad-fs-integration.aspx

    It also has a link near the bottom of it to where you can download the AD FS Diagnostic Tool, which might have more data on why your AD FS setup is not working as expected.

    HTH,


    Brad Mahugh
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue.


    Monday, April 1, 2013 9:29 PM
  • I know this is an old thread and the question was specifically for Windows Server 2008 R2, but I wanted to let folks know that we've published a new set of step-by-step instructions for AD RMS with AD FS on Windows Server 2012 R2.

    We also ran into a lot of problems when trying to get this working and one of the things that we specifically included in this new document, was checkpoint verification tests - both "just in time" and repeated in a summary section with tips for what to check if the tests fail.  Hopefully, with these checkpoints, you can narrow down the problem or at least eliminate what isn't a problem. And when we ran into odd, quirky things ourselves (such as case-sensitivity for some values, or the importance of a trailing "/"), we included these in the document as well. If you have any other tips, consider adding them as a Community Addition at the bottom of the page to help other people.

    Deploying Active Directory Rights Management Services with Active Directory Federation Services

    Thursday, September 25, 2014 1:48 AM