Leverage the Mobile Device Extension for ad rms

Testing and evaluating the Mobile Device Extension for AD RMS

Yüklə 3,87 Mb.

səhifə	16/20
tarix	16.08.2018
ölçüsü	3,87 Mb.
	#63133

1 ... 12 13 14 15 16 17 18 19 20

Configuring AD FS for the Mobile Device Extension for AD RMS
Authorizing the RMS sharing app for your devices

Testing and evaluating the Mobile Device Extension for AD RMS

This walkthrough provides instructions for configuring the Mobile Device Extension for AD RMS in a Windows Server 2012 (R2) based environment. It is based on the “on-premises” test lab environment deployed in Azure as per previous sections. This environment satisfies all the prerequisites for the Mobile Device Extension.

Note For the purpose of this document, it leverages the Microsoft TechNet article Active Directory Rights Management Services Mobile Device Extension⁸⁰.

It consists in the following three steps that must be followed in order:

Configuring AD FS for the Mobile Device Extension for AD RMS.
Specifying the DNS SRV records for the Mobile Device Extension for AD RMS.
Deploying the Mobile Device Extension for AD RMS.

The following subsections describe in the context of our test lab environment each of these steps.

Configuring AD FS for the Mobile Device Extension for AD RMS

Automatically configuring AD FS for the Mobile Device Extension

The configuration of AD FS for the Mobile Device Extension for AD RMS consists in creating a relying party trust for the Mobile Device Extension along with:

An issuance transform rule that sources from AD DS and passes through the following claims for the authenticated user:

Primary email address (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
User principal name (UPN) (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)
Proxy email addresses if present (http://schemas.xmlsoap.org/claims/ProxyAddresses)

An authorization rule that permits the issuance of the above claims for all users.

To automatically configure AD FS in accordance, proceed with the following steps:

Open a remote desktop connection on the ADFS1 computer as LITWARE369\AzureAdmin with “pass@word1” as password.
Download on the Desktop the script Add-AdfsRelyingPartyTrust4TestLabEnvironment.ps1⁸¹ and unblock it so that it can comply with the above execution policy and be executed in your environment.

Note The content of the script Add-AdfsRelyingPartyTrust4TestLabEnvironment.ps1 is the copy of the content provided in the Microsoft TechNet article Active Directory Rights Management Services Mobile Device Extension⁸².
# This Script Configures the Microsoft Rights Management Mobile Device Extension and Claims used in the ADFS Server
# Check if Microsoft Rights Management Mobile Device Extension is configured on the Server

$CheckifConfigured = Get-AdfsRelyingPartyTrust -Identifier "api.rms.rest.com"

if ($CheckifConfigured)

{

Write-Host "api.rms.rest.com Identifer used for Microsoft Rights Management Mobile Device Extension is already configured on this Server"

Write-Host $CheckifConfigured

}

else

{

Write-Host "Configuring Microsoft Rights Management Mobile Device Extension "

# TransformaRules used by Microsoft Rights Management Mobile Device Extension

# Claims: Email, UPN and ProxyAddresses

$TransformRules = @"

@RuleTemplate = "LdapClaims"

@RuleName = "Jwt Token"

c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",

Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types =

("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",

"http://schemas.xmlsoap.org/claims/ProxyAddresses"), query =

";mail,userPrincipalName,proxyAddresses;{0}", param = c.Value);
@RuleTemplate = "PassThroughClaims"

@RuleName = "JWT pass through"

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(claim = c);

@RuleTemplate = "PassThroughClaims"

@RuleName = "JWT pass through"

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]

=> issue(claim = c);

@RuleTemplate = "PassThroughClaims"

@RuleName = "JWT pass through Proxy addresses"

c:[Type == "http://schemas.xmlsoap.org/claims/ProxyAddresses"]

=> issue(claim = c);

# AuthorizationRules used by Microsoft Rights Management Mobile Device Extension

# Allow All users

$AuthorizationRules = @"

@RuleTemplate = "AllowAllAuthzRule"

=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",

Value = "true");

# Add a Relying Part Truest with Name -"Microsoft Rights Management Mobile Device Extension" Identifier "api.rms.rest.com"

Add-ADFSRelyingPartyTrust -Name "Microsoft Rights Management Mobile Device Extension" -Identifier "api.rms.rest.com" -IssuanceTransformRules $TransformRules -IssuanceAuthorizationRules $AuthorizationRules
Write-Host "Microsoft Rights Management Mobile Device Extension Configured"

}

Open a Windows PowerShell command prompt and run the following command to create the relying party trust named api.rms.rest.com:

PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop

PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\Add-AdfsRelyingPartyTrust4TestLabEnvironment.ps1

Configuring Microsoft Rights Management Mobile Device Extension

Microsoft Rights Management Mobile Device Extension Configured

PS C:\Users\AzureAdmin.LITWARE369

Authorizing the RMS sharing app for your devices

To authorizing the RMS sharing app for your devices, proceed with the following steps:

Open a remote desktop session if needed as LITWARE369\AzureAdmin.
From the previous Windows PowerShell command prompt, run the following command(s):

For Android devices:
PS C:\users\AzureAdmin.litware369\Desktop> Add-AdfsClient -Name "RMS Sharing App for Android" -ClientId "ECAD3080-3AE9-4782-B763-2DF1B1373B3A" -RedirectUri @("com.microsoft.rms-sharing-for-android://authorize")