Sharing Protected Documents when Partners have an AD RMS Installation

(This post was published on the original RMS team blog in February 2010. This is part 1 of a two-part series.)

Typically, Active Directory Rights Management Services helps users to protect documents and securely share them with other users within a single Active Directory forest.  However, it is increasingly common that users need to share sensitive documents with people outside their organization.  AD RMS has several options available to you to configure secure external collaboration.

In this two part series we explore the different options available and highlight some common scenarios where they are appropriate.  In this post, we discuss how to share protected content with a partner who has an AD RMS infrastructure.  In a subsequent post, we will look at the different ways to collaborate with a partner who does not have an AD RMS infrastructure.

If you would like to share protected documents with partner users who are in an organization that has installed AD RMS you can configure either a Trusted User Domain (TUD) or a Trusted Publishing Domain (TPD).  Let's look at these two options in more detail.

A Trusted User Domain is the most common method of sharing protected information between two forests that each have AD RMS clusters.  A TUD allows your licensing servers to accept end-use license requests made by users who have been issued a Rights Account Certificate from a partner organization.  When you configure a TUD, users can share protected content across forests using the same tools and processes they would within their organization.  Each user can create protected content with Microsoft Office and other AD RMS-enabled applications and then distribute it through e-mail, Microsoft Office SharePoint Services, Windows Mobile devices, and other distribution channels.

There are a couple of factors to consider before implementing a Trusted User Domain.  First, when a user opens content protected by the AD RMS partner cluster, the user receives an end-use license directly from that cluster.  Therefore, to open protected content, a user must have connectivity to an AD RMS server in the partner's cluster.  Also to protect information for groups that contain users from your partner's organization you must either create an Active Directory forest trust or perform significant additional work to synchronize group membership between the forests.  If these options cannot be implemented, you must individually grant access to partner users.  Finally, assuming there is no forest trust between the organizations, this scenario requires anonymous authentication to be allowed on the license pipeline.  You should be sure to enable anonymous authentication on only the license.asmx page, not the virtual directory root itself.

To learn more about Trusted User Domains you can read Trusted User Domains and AD RMS Deployment in a Multi-Forest Environment Step-by-Step Guide on TechNet.

Trusted Publishing Domains allow an AD RMS cluster to issue end-use licenses for content that was originally published by a different AD RMS cluster.  Similar to a TUD, a TPD does not restrict the applications and distribution channels that clients use to protect and consume content.  It also presents two advantages.  First, configuring a TPD requires less administrative effort to enable users to protect documents for groups that contain partner users.  Second, you do not need to connect to your partner's AD RMS cluster to consume content, reducing network overhead.

However, a TPD is established by exchanging AD RMS private keys, in addition to the server licensor certificates.  This can be a security risk.  Although the benefits to configuring a TPD are significant, sharing your private key with another organization may violate your organization's security policy.  Also, in this scenario, you must set registry overrides that will force clients to get use licenses through your AD RMS cluster.  For more information about these registry keys for Microsoft Office, please see the TechNet article Office Registry Settings .

Because of security policies, TPDs are usually configured between forests within the same organization or in a scenario where one of the clusters will be decommissioned.   A TPD allows a cluster to decrypt content it did not publish.  Therefore the original cluster does not have to be accessible in order for partner users to consume content.  By configuring a TPD, users can still access all documents published by the partner cluster, even after that cluster has been decommissioned.

If you would like to learn more about Trusted Publishing Domains you can read the TechNet article Trusted Publishing Domains .