Enterprise Mobility and Security Blog


(This post was published on the original RMS team blog in February 2010. This is part 2 of a two-part series.) 

This is the second post in a series examining the different options available to share protected content with partner organizations.  Our first post, discussed sharing protected content with a partner who has an Active Directory Rights Management Services infrastructure.  Here, we consider five different ways to securely collaborate with partners who have not installed AD RMS.        

Creating a separate account store for your partner users is the most conceptually basic solution.  In this scenario, create a separate Active Directory forest with an AD RMS cluster and set up accounts for your partner users.  Then configure a Trusted User Domain (TUD) or Trusted Publishing Domain (TPD) between the AD RMS installations.  TUDs and TPDs are described in the blog post Sharing Protected Documents when Partners have an AD RMS Installation in more detail, but essentially, by implementing this solution, users in your organization can use their standard applications and distribution channels to securely collaborate with partner users you have created accounts for.  An alternative to configuring a second AD RMS cluster is to use Active Directory Federation Services, discussed in more detail below, to create a trust between the two forests.

However, hosting accounts for partner users is usually not recommended in an enterprise environment because of the administrative overhead and security risks.  In this model, you must manage the provisioning, maintenance, and deprovisioning of users who are not part of your organization.  Also, creating additional accounts for users increases the risk of a security breach. 

Active Directory Federation Services is an identity federation service that allows users in one forest to access resources in another forest using their own credentials.  With AD FS in place you do not have to host separate accounts for partners.  Rather, users have one account with a single set of credentials, which are managed by their organization.  Partner users can then use single sign-on to access AD FS aware applications, such as AD RMS.

AD FS eliminates the administrative overhead and security issues that come with hosting partner users; however, there are some important considerations to using AD FS with AD RMS.  First, your partners will be unable to view protected content on their mobile devices.  Partner users will be able to consume, but not create, protected XPS documents.  Finally, for a protected document to be opened from Microsoft Office SharePoint Services, the library must be located in the same forest as the AD RMS cluster.

To learn more about using AD FS with AD RMS you can read the TechNet articles Using Active Directory Federations Services with AD RMS and AD RMS with AD FS Identity Federation Step-by-Step Guide.

If your organization's security protocols or the sheer number of partner organizations make a forest-wide trust, such as AD FS, impractical our partner GigaTrust has developed an external collaboration solution that is included in their Enterprise Plus product.  Like AD FS, with Enterprise Plus external accounts are managed by your partners and users can access protected content using single sign-on.  Unlike AD FS, this trust is established on a per user, rather than per company, basis.  This makes it feasible to support a scenario where partner users are spread across many different organizations, even if those organizations are using an LDAP directory other than Active Directory.  Enterprise Plus provides several additional benefits such as a central management point for all AD RMS reports and rights policy templates for both internal and partner users.  It also allows you to use AD RMS with additional file formats such as pdf.

Users in the partner organization must install a client application, which requires local administrative rights.  This solution is therefore best implemented between long-term partners, rather than for a single use scenario.  Also, Enterprise Plus is not included in an AD RMS installation or in Windows Server; it is a third party product.  To learn more about GigaTrust's Enterprise Plus visit http://www.gigatrust.com/enterprise-plus.shtml

This solution requires you to manage the lifecycle of accounts for users outside your organization, which results in additional administrative overhead.  The Full Client and the LM Viewer are produced by Liquid Machines and are not included in an AD RMS installation or in Windows Server.  For more information please visit http://www.liquidmachines.com/.