As I explained in the previous topology, in order to be set up, it needs the AD RMS root cluster in each forest. Most of these forests also have two-way trust between them. But not every partner or business agrees to do so. They may want to use AD RMS but they may not want to maintain the AD RMS cluster or create trust between forests. AD FS allows companies to use the already deployed AD RMS cluster in a remote forest. AD FS allows user accounts to use their own credentials established by a federated trust relationship. When one organization trusts an AD RMS-trusted domain from a federated organization, first, it should import it using the trust federated users option as AD FS trusts are not transitive by default. Then, once the user contacts it for the first time, the RAC is issued (for federated users). But its validity period is specified in Federated Identity Support settings.
Before we set it up, certain prerequisites are required between federated infrastructures. Refer to https://technet.microsoft.com/en-us/library/dn758110(v=ws.11).aspx for more details on the configuration.
The following table lists the advantages and disadvantages:
|
Advantages |
Disadvantages |
|
No need to maintain multiple AD RMS clusters between organizations. It can use an already existing federation trust to use AD RMS in other forests. |
There are security concerns, as its possible to spoof someone's user account and access protected data through a federation proxy. |
|
Extended data protection boundaries and implementation are less complex. |
If an internal CA is used to make SSL-based trusts (AD RMS and AD FMS), the federated domain should configure to trust the root CA (using GPO to publish the root cert). Or else, they may need to invest on using public certificates. |
|
Fewer system dependencies between infrastructures. |
N/A |
AD RMS in extranet, including RMS mobile extensions, is also considered another deployment model, but in modern workloads, it acts as part of other topologies mentioned in the preceding table as users have started using mobile devices to access corporate data more and more.