Hello All
Can someone please help me with the following questions :)
I am learning AD RMS and read a MS document entitled "Active Directory Rights Management Services Overview" last updated April 1 2015.
It started the following with regard to the cons (limitations) of using federation (AD FS) with AD RMS
-------------------
At the same time, AD FS integration for AD RMS has some limitations when compared to other alternatives, such as trusted user domains and trusted publisher domains. One potentially significant limitation is that AD RMS with AD FS, in its
current implementation, does not provide group expansion capabilities for remote groups. This implies that a remote user belonging to a group that has been assigned rights to a document cannot exercise those rights unless she has also individually been assigned
the same rights.
A second limitation is that AD FS integration is dependent on the capabilities of the client device accessing a protected document. Today, Windows Mobile clients are not able to authenticate through AD FS, so such clients can consume AD RMS
protected documents only if their users are in the same forest as the AD RMS server that issued the publishing license or the organization uses trusted user domains or trusted publishing domains. In addition, the Rights Management Add-on document viewer for
Internet Explorer, typically used when the recipient does not have an IRM capable application, does not support AD FS authentication.
Finally, using AD FS with AD RMS imposes some requirements on the infrastructure, such as access to the AD RMS servers from the Internet and specific configurations in the client. These include specifying the remote federation servers URLs
in the trusted zone and the local federation servers in the Intranet zone, in the Internet Explorer security settings.
------------
What I would like to know is as of today (7th June 2016) and Windows 2012 R2 (with all relevant up to date patches installed). Are the above still limitations including group expansion there in place? or have they now been removed with proiduct enhancements/patches
sine April 1 2015?
However it also occurs to me when it comes to 'claims' you could create a claim based on weather or not a given user is a member of a particular group. That being the case I am not sure what you need group expansion because as far as I am aware you expand
a group to see if a user (or computer) is a member of the group in question. However if you have already determined this as part of building the claims token for the user why do you still need group expansion? Like I said I am learning :) so appolgies
if the answer is obvious and I am not seeing it.
Thanks All
Ernie