However, in Windows Server 2008, you can install Active Directory Federation Services as a server role using Server Manager.. Improved Application Support Active Directory Federation Se
Trang 1 A better administrative experience when you establish federated trusts
Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment
Improved Installation
Active Directory Federation Services in Windows Server 2008 brings several improvements to the installation experience To install Active Directory Federation
Services in Windows Server 2003 R2, you had to go to Add/Remove Programs to find
and install the Active Directory Federation Services component However, in Windows Server 2008, you can install Active Directory Federation Services as a server role using Server Manager
You can use improved Active Directory Federation Services configuration wizard pages to perform server validation checks before you continue with the Active Directory Federation Services server role installation In addition, Server Manager automatically lists and installs all the services that Active Directory Federation Services depends on during the Active Directory Federation Services server role installation These services include Microsoft ASP.NET 2.0 and other services that are part of the Web Server (IIS) server role
Improved Application Support
Active Directory Federation Services in Windows Server 2008 includes enhancements that increase its ability to integrate with other applications, such as Office SharePoint Services
2007 and Active Directory Rights Management Services
Integration With Office SharePoint Services 2007
integrated into this version of Active Directory Federation Services Active Directory Federation Services in Windows Server 2008 includes functionality to support Office SharePoint Services 2007 membership and role providers This means that you can effectively configure Office SharePoint Services 2007 as a claims-aware application in Active Directory Federation Services, and you can administer any Office SharePoint Services 2007 sites using membership and role-based access control The membership and role providers that are included in this version of Active Directory Federation Services are for consumption only by Office SharePoint Services 2007
Integration With Active Directory Rights Management Server
Active Directory Rights Management Services and Active Directory Federation Services can be integrated in such a way that organizations can take advantage of existing federated trust relationships to collaborate with external partners and share rights-protected content For example, an organization that has deployed Active Directory Rights Management Services can set up federation with an external organization by using Active Directory Federation Services The organization can then use this relationship to share rights-protected content across the two organizations without requiring a deployment of Active Directory Rights Management Services in both organizations
Better Administrative Experience When Establishing Federated Trusts
Trang 2In both Windows Server 2003 R2 and Windows Server 2008, Active Directory Federation Services administrators can create a federated trust between two organizations using either a process of importing and exporting policy files or a manual process that involves the mutual exchange of partner values, such as Uniform Resource Indicators (URIs), claim types, claim mappings, display names and so on The manual process requires the administrator who receives this data to type all the received data into the appropriate pages in the Add Partner Wizard, which can result in typographical errors In addition, the manual process requires the account partner administrator to send a copy of the
verification certificate for the federation server to the resource partner administrator so that the certificate can be added through the wizard
Although the ability to import and export policy files was available in Windows Server
2003 R2, creating federated trusts between partner organizations is easier in Windows Server 2008 as a result of enhanced policy-based export and import functionality These enhancements were made to improve the administrative experience by permitting more flexibility for the import functionality in the Add Partner Wizard For example, when a partner policy is imported, the administrator can use the Add Partner Wizard to modify any values that are imported before the wizard process is completed This includes the ability to specify a different account partner verification certificate and the ability to map incoming or outgoing claims between partners
By using the export and import features that are included with Active Directory Federation Services in Windows Server 2008, administrators can simply export their trust policy settings to an xml file and then send that file to the partner administrator This exchange of partner policy files provides all of the URIs, claim types, claim mappings and other values and the verification certificates that are necessary to create a federated trust between the two partner organizations
The following illustration and accompanying instructions show how a successful exchange
of policies between partners — in this case, initiated by the administrator in the account partner organization — can help streamline the process for establishing a federated trust between two fictional organizations: A Datum Corp and Trey Research
The following flowchart shows how a domain controller running Windows Server 2008 can transition between these three possible states
Trang 31 The account partner administrator specifies the Export Basic Partner Policy option by right-clicking on the Trust Policy folder and exports a partner policy
file that contains the URL, display name, federation server proxy URL, and verification certificate for A Datum Corp The account partner administrator then sends the partner policy file (by e-mail or other means) to the resource partner administrator
2 The resource partner administrator creates a new account partner using the Add Account Partner Wizard and selects the option to import an account partner
Trang 4policy file The resource partner administrator proceeds to specify the location of the partner policy file and to verify that all the values which are presented in each
of the wizard pages — which are pre-populated as a result of the policy import
— are accurate The administrator then completes the wizard
3 The resource partner administrator can now configure additional claims or trust policy settings that are specific to that account partner After this configuration is
complete, the administrator specifies the Export Policy option by right-clicking
on the A Datum Corp account partner The resource partner administrator exports a partner policy file that contains values such as the URL, federation server proxy URL, display name, claim types and claim mappings for the Trey Research organization The resource partner administrator then sends the partner policy file to the account partner administrator
4 The account partner administrator creates a new resource partner using the Add Resource Partner Wizard and selects the option to import a resource partner policy file The account partner administrator specifies the location of the resource partner policy file and verifies that all the values that are presented in each of the wizard pages — which are pre-populated as a result of the policy import — are accurate The administrator then completes the wizard
When this process is complete, a successful federation trust between both partners is established Resource partner administrators can also initiate the import and export policy process, although that process is not described here
New Settings
You configure Windows NT token-based Web Agent settings with the IIS Manager
snap-in To support the new functionality that is provided with IIS 7.0, Windows Server 2008 Active Directory Federation Services includes UI updates for the Active Directory Federation Services Web Agent role service The following table lists the different locations in IIS Manager for IIS 6.0 or IIS 7.0 for each of the Active Directory Federation Services Web Agent property pages, depending on the version of IIS that is used
Active Directory Federation Services Web Agent Property Pages
IIS 6.0 Property Page Old Location IIS 7.0
Property Page
New Location
Active Directory Federation Services Web Agent tab
<COMPUTERNAME>\Web
Sites
Federation Service URL <COMPUTERNAME> (in the
Other section of the center pane)
Active Directory Federation Services Web Agent tab
<COMPUTERNAME>\Web
Sites\<Site or Virtual
Directory>
Active Directory Federation Services Web Agent
<COMPUTERNAME>\Web
Sites\<Site or Virtual Directory>
(in the IIS\Authentication
section of the center pane)
Note
There are no significant UI differences between the Active Directory Federation Services snap-in in Windows Server 2008 and the Active Directory Federation Services snap-in in Windows Server 2003 R2
Trang 55.12 Active Directory Lightweight Directory Services
The Active Directory Lightweight Directory Services server role is an LDAP directory service It provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services
Active Directory Lightweight Directory Services in Windows Server 2008 encompasses the functionality that was provided by Active Directory Application Mode, which is available for Microsoft Windows XP Professional and the Windows Server 2003 operating systems Active Directory Lightweight Directory Services gives organizations flexible support for directory-enabled applications A directory-enabled application uses a directory — rather than a database, flat file, or other data storage structure — to hold its data Directory services (such as Active Directory Lightweight Directory Services) and relational databases both provide data storage and retrieval, but they differ in their optimization Directory services are optimized for read processing, whereas relational databases are optimized for transaction processing Many off-the-shelf applications and many custom applications use a directory-enabled design Examples include these:
Active Directory Lightweight Directory Services provides much of the same functionality
as Active Directory Domain Services (and, in fact, is built on the same code base), but it does not require the deployment of domains or domain controllers
You can run multiple instances of Active Directory Lightweight Directory Services concurrently on a single computer, with an independently managed schema for each Active Directory Lightweight Directory Services instance or configuration set (if the instance is part of a configuration set) Member servers, domain controllers and stand-alone servers can be configured to run the Active Directory Lightweight Directory Services server role
Active Directory Lightweight Directory Services is similar to Active Directory Domain Services in that it provides the following:
Active Directory Lightweight Directory Services differs from Active Directory Domain Services primarily in that it does not store Windows security principals Although Active Directory Lightweight Directory Services can use Windows security principals (such as domain users) in ACLs that control access to objects in Active Directory Lightweight Directory Services, Windows cannot authenticate users stored in Active Directory Lightweight Directory Services or use Active Directory Lightweight Directory Services users in its ACLs In addition, Active Directory Lightweight Directory Services does not support domains and forests, Group Policy or global catalogs
Trang 6Organizations that have the following requirements will find Active Directory Lightweight Directory Services particularly useful:
decentralized directory management Active Directory Lightweight Directory Services directories are separate from the domain infrastructure of Active Directory Domain Services As a result, they can support applications that depend on schema extensions that are not desirable in the Active Directory Domain Services directory — such as schema extensions that are useful to a single application In addition, the local server administrator can administer the Active Directory Lightweight Directory Services directories; domain administrators do not need to provide administrative support
are separate from the enterprise’s domain structure Application developers who are creating directory-enabled applications can install the Active Directory Lightweight Directory Services role on any server, even
on stand-alone servers As a result, developers can control and modify the directory in their development environment without interfering with the organization’s Active Directory Domain Services infrastructure These applications can be deployed subsequently with either Active Directory Lightweight Directory Services or Active Directory Domain Services as the application’s directory service,
as appropriate
Network administrators can use Active Directory Lightweight Directory Services
as a prototype or pilot environment for applications that will eventually be deployed with Active Directory Domain Services as its directory store, as long as the application does not depend on features specific to Active Directory Domain Services
Enterprises that need to authenticate extranet client computers, such as Web client computers or transient client computers, can use Active Directory Lightweight Directory Services as the directory store for authentication This helps enterprises avoid having to maintain external client information in the
enterprise’s domain directory
authenticate against Active Directory Domain Services When organizations merge, there is often a need to integrate LDAP client computers running different server operating systems into a single network infrastructure In such cases, rather than immediately upgrading client computers running earlier LDAP applications or modifying the Active Directory Domain Services schema to work with the earlier clients, network administrators can install the Active Directory Lightweight Directory Services server role on one or more servers The Active Directory Lightweight Directory Services server role acts
as an interim directory store using the earlier schema until the client computers can be upgraded to use Active Directory Domain Services natively for LDAP access and authentication
Because Active Directory Lightweight Directory Services is designed to be a directory service for applications, it is expected that the applications will create, manage and
Trang 7remove directory objects As a general-purpose directory service, Active Directory Lightweight Directory Services is not supported by such domain-oriented tools as these:
However, administrators can manage Active Directory Lightweight Directory Services directories by using directory tools such as the following:
Directory Lightweight Directory Services)
Applications that were designed to work with Active Directory Application Mode do not require changes to function with Active Directory Lightweight Directory Services
Trang 85.13 Active Directory Rights Management Services
For Windows Server 2008, Active Directory Rights Management Services includes several new features that were not available in Microsoft Windows Rights Management Services (RMS) These new features were designed to ease administrative overhead of Active Directory Rights Management Services and to extend its use outside your organization These new features include the following:
2008 as a server role
Management Services administrative roles
Note
This topic concentrates on the features specific to Active Directory Rights Management Services that are being released with Windows Server 2008 Earlier versions of RMS were available as a separate download For more information about the features that were available in RMS, see Windows Server 2003 Rights
Management Services (RMS) (http://go.microsoft.com/fwlink/?LinkId=68637)
Active Directory Rights Management Services, a format- and application-agnostic technology, provides services to enable the creation of information-protection solutions
It will work with any Active Directory Rights Management Services-enabled application to provide persistent usage policies for sensitive information Content that can be protected
by using Active Directory Rights Management Services includes intranet Web sites, e-mail messages and documents Active Directory Rights Management Services includes a set of core functions that allow developers to add information protection to the functionality of existing applications
An Active Directory Rights Management Services system, which includes both server and client components, performs the following processes:
Licensing rights-protected information An Active Directory Rights
Management Services system issues rights account certificates, which identify trusted entities (such as users, groups and services) that can publish rights-protected content Once trust has been established, users can assign usage rights and conditions to content they want to protect These usage rights specify who can access rights-protected content and what they can do with it When the content is protected, a publishing license is created for the content This license binds the specific usage rights to a given piece of content so that the content can
be distributed For example, users can send rights-protected documents to other users inside or outside their organization without the content losing its rights protection
Acquiring licenses to decrypt rights-protected content and applying usage policies Users who have been granted a rights account certificate can access
rights-protected content by using an Active Directory Rights Management
Trang 9Services-enabled client application that allows users to view and work with rights-protected content When users attempt to access rights-rights-protected content, requests are sent to Active Directory Rights Management Services to access, or
―consume,‖ that content When a user attempts to consume the protected content, the Active Directory Rights Management Services licensing service on the Active Directory Rights Management Services cluster issues a unique use license that reads, interprets and applies the usage rights and conditions specified in the publishing licenses The usage rights and conditions are persistent and automatically applied everywhere the content goes
Creating rights-protected files and templates Users who are trusted entities in
an Active Directory Rights Management Services system can create and manage protection-enhanced files by using familiar authoring tools in an Active Directory Rights Management Services-enabled application that incorporates Active Directory Rights Management Services technology features In addition, Active Directory Rights Management Services-enabled applications can use centrally defined and officially authorized usage rights templates to help users efficiently apply a predefined set of usage policies
Active Directory Rights Management Services is designed to help make content more secure, regardless of wherever the rights-protected content might be moved to
You should review this section, and additional documentation about Active Directory Rights Management Services, if you are in any of the following groups:
products
technology that provides protection for both data at rest and in motion Active Directory Rights Management Services relies on Active Directory Domain Services
to verify that the user attempting to consume rights-protected content is authorized to
do so When registering the Active Directory Rights Management Services service connection point (SCP) during installation, the installing user account must have Write access to the Services container in Active Directory Domain Services
Finally, all configuration and logging information is stored in the Active Directory Rights Management Services Logging Database In a test environment, you can use the Windows Internal Database, but in a production environment, we recommend using a separate database server
Active Directory Rights Management Services includes a number of enhancements over earlier versions of RMS These enhancements include the following:
Improved installation and administration experience Active Directory Rights
Management Services is included with Windows Server 2008 and is installed as a server role In addition, Active Directory Rights Management Services
administration is done through an MMC, as opposed to the Web site administration presented in the earlier versions
Self-enrollment of the Active Directory Rights Management Services cluster
Active Directory Rights Management Services cluster can be enrolled without having to connect to the Microsoft Enrollment Service Through the use of a
Trang 10server self-enrollment certificate, the enrollment process is done entirely on the local computer
Integration with Active Directory Federation Services Active Directory Rights
Management Services and Active Directory Federation Services have been integrated such that enterprises are able to leverage existing federated relationships to collaborate with external partners
New Active Directory Rights Management Services administrative roles The
ability to delegate Active Directory Rights Management Services tasks to different administrators is needed in any enterprise environment and is included with this version of Active Directory Rights Management Services Three administrative roles have been created: Active Directory Rights Management Services Enterprise Administrators, Active Directory Rights Management Services Template
Administrators, and Active Directory Rights Management Services Auditors
Improved Installation and Administration Experience
Active Directory Rights Management Services in Windows Server 2008 brings many improvements to both the installation and administration experience In earlier versions
of RMS, a separate installation package had to be downloaded and installed, but in this version, Active Directory Rights Management Services has been integrated into the operating system and is installed as a server role through Server Manager Configuration and provisioning is achieved through the server role installation In addition, Server Manager automatically lists and installs all services that Active Directory Rights Management Services is dependent on, such as Message Queuing and Web Server (IIS), during the Active Directory Rights Management Services server role installation During installation, if you do not specify a remote database as the Active Directory Rights Management Services Configuration and Logging database, the Active Directory Rights Management Services server role installation automatically installs and configures the Windows Internal Database for use with Active Directory Rights Management Services
In the earlier versions of RMS, administration was done through a Web interface In Active Directory Rights Management Services, the administrative interface has been migrated to
an MMC snap-in console Active Directory Rights Management Services console gives you all the functionality available with the earlier version of RMS but in an interface that is much easier to use
Offering Active Directory Rights Management Services as a server role that is included with Windows Server 2008 makes the installation process less burdensome by not requiring you to download Active Directory Rights Management Services separately before installing it
Using an Active Directory Rights Management Services console for administration instead
of a browser interface makes more options available to improve the user interface The Active Directory Rights Management Services console employs user interface elements that are consistent throughout Windows Server 2008, which is designed to be much easier to follow and navigate In addition, with the inclusion of Active Directory Rights Management Services administration roles, the Active Directory Rights Management Services console displays only the parts of the console that the user can access For example, a user who is using the Active Directory Rights Management Services Template Administrators administration role is restricted to tasks that are specific to Active
Directory Rights Management Services templates All other administrative tasks are not available in the Active Directory Rights Management Services console