Hey all,
I'm trying to implement a ADRMS+ADFS scenario to connect two forests without any trusts, so they can share protected content.
I have forest A, with a DC server, a FS server, a RMS server and a client computer.
In forest B, I have a DC server, that accumulates with FS server, and a client computer.
The objective is to have protected content created on forest A and consumed in either forest A or forest B.
I've configured the FS servers as per Microsoft documentation, and I've configured RMS to be Federation aware.
I've protected a document in forest A, and I've sent it to the client on forest B. However, when client B tries to open it, I get asked for credentials, to access the RMS link /_wmcs/licensing/servicelocator.asmx. At no point I see anything going to either
FS server. Even if I input the client B credentials, it keeps popping up.
I believe that the FS agent on the RMS server is not properly intercepting the request, and forwarding it to the FS server, but I can't quite "prove" it. I can't see anything on the local logs on the RMS server, from either the RMS services or the FS component.
The FS servers are both "quiet" and don't seem to have any communication with the client during my tests.
Also, I'm not really sure about the Federation registry key to input in the client B registry. I've seen two different formats for it: urn:federation:localfsserver and https://localfsserver/adfs/ and I think I've seen https://localfsserver/adfs/ls/ somewhere
as well. I'm creating the field in HKLM\Software\Microsoft\MSDRM\FederationHomeRealm.
There are all 2008 R2 servers, with AD FS 1.0. The clients are Windows 7 with Office 2010.
Could someone give me a hand with this? I don't know if something needs to be adjusted in the IIS of the RMS server, at it seems that is demanding authentication from the "unknown", forest B client, and that's not exactly the expected behavior in this situation.
Thanks for your time!
Cheers,
Helder