Configuring Windows Rights Management Services with Microsoft Office SharePoint server 2007

  • Article

I had spent a good amount of time understanding how Windows Rights Management Services works and how it can be deployed over Microsoft Office SharePoint Server 2007. Thought of sharing my findings on this topic here.

Before we begin this topic, please visit this blog post to understand the concept of RMS and IRM which will help you to configure RMS with MOSS better

Here are the major steps that we are going to perform. Its highly recommended that you perform these steps on a test environment.

1. Prepare the infrastructure for Active Directory directory services, RMS, and Office SharePoint Server 2007.
2. Install and configure RMS on the RMS server
3. Install and configure Office SharePoint Server 2007 with RMS environment.
4. Verify RMS and Office SharePoint Server 2007 integration.

Lets start..!

To demonstrate how RMS can be integrated with MOSS, we will consider 4 servers with names and roles on them as shown below.

AD

- Microsoft Windows Server 2003 with SP2

- Active Directory Services and DNS (DNS is necessary if your test environment is running on a separate network)

MOSS-SERVER

- Office SharePoint Server 2007 with SP2 and latest Cumulative updates

RMS-SERVER

- Microsoft Windows Server 2003 with SP2

- RMS Server

- Internet Information Services (IIS) 6.0

- Message Queuing (MSMQ)

- Microsoft SQL Server™ 2005 Standard Edition (This can be on a different machine as well)

RMS-CLIENT

- Microsoft Windows XP SP2

- Microsoft Office Enterprise 2007

Lets look at one server by one now:-

Configure the server “AD”:-

1. Login to Windows server 2003 machine and run dcpromo from start->run (domain name eg: rmstest.local)

2. Raise the Forest functional level and domain functional level to Windows server 2003

3. Create the following user accounts in Active Directory RMSSRV,RMSADM,User1 and User2 with respective email addresses (add the email address in the email column when viewing the properties of a user, no mailbox configuration required)

Configure the server “MOSS-SERVER”:-

1. Login to MOSS-SERVER using rmstest\administrator credentials and join the server to the domain

2. Download and install the RMS client from https://go.microsoft.com/fwlink/?LinkId=67736. If you are using a 64-bit version of Windows XP Professional or Windows Server 2003, download the 64-bit version of the RMS client from https://go.microsoft.com/fwlink/?LinkId=67935

3. Install .Net Framework , IIS and MOSS , complete the configuration wizard

4. Create a web application on port 80 and create a new site collection with collaboration template (https://moss-server)

Configure the server “RMS-SERVER”:-

1. Login to RMS-SERVER using rmstest\administrator credentials and join the server to the domain

2. Add the RMSADM user to the local administrators group in RMS-SERVER

3. Add Application server Role to this server (From add./remove programs –>add/remove windows components , application server->IIS and ASP.NET )

4. Add Message Queuing on this server ( From add/remove programs->add/remove windows components, Application server –>Message Queuing)

5. Install Microsoft SQL Server 2005 Standard edition and make sure you can log in to Management console successfully

6. We have now completed the installation of prerequisites, Lets download and install RMS server from https://go.microsoft.com/fwlink/?LinkId=73722

Configure the server “RMS-CLIENT”:-

1. Login to RMS-CLIENT using rmstest\administrator credentials and join the system to the domain

2. Download and install the RMS client from https://go.microsoft.com/fwlink/?LinkId=67736. If you are using a 64-bit version of Windows XP Professional or Windows Server 2003, download the 64-bit version of the RMS client from https://go.microsoft.com/fwlink/?LinkId=67935

3. Install Microsoft Office Enterprise 2007

Now lets configure RMS settings

RMS is provisioned and administered by using a local Web site automatically created during the RMS installation. (sample screenshots below, the values entered might be not relevant)

1. Provision RMS using Global Administration Web site

  • Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration.
  • You can see that Default web site is already present Click Provision RMS on this Web site.
  • In the User name box under RMS Service Account, type RMSTEST\RMSSRV, and then type the respective password.
  • In the RMS private key password box under Private key protection and enrollment, enter a strong password, and then confirm it
  • Type rmsadm@rmstest.local in the Administrative contact box.
  • Under RMS Proxy Settings, clear the This computer uses a proxy server to connect to the Internet check box.
  • Keep the default values for everything else on this page, and then click Submit. This might take a few minutes to complete.

imageimageimageimageimage

2. Register RMS SCP in Active Directory

  • Log on to RMS-SERVER as RMSTEST\ADMINISTRATOR or another Active Directory user account who is a member of the Enterprise Admins group in the RMSTEST Active Directory domain.
  • Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration.
  • Click Administer RMS on this Web site.-> Administer RMS on this Web site
  • Scroll to the bottom of the page and click RMS service connection Point.
  • Click Register URL.

image 3. Login to Active directory and confirm the below

  • Login to AD with RMSTEST\Administrator account and Click on start->administrative tools->active directory sites and services and now expand the service and make sure you have “RightsManagementServices” listed. ( You may have to click on View->Show Services Nodes on the mmc in order to see this)

image

 

Now lets configure MOSS for RMS

1. Adding to Trusted zones

  • Log in to MOSS-SERVER as RMSTEST\ADMINISTRATOR.
  • Click Start, point to Control Panel, and then click Internet Options.
  • Click the Security tab, click Local Intranet, and then click the Sites button.
  • Type https://MOSS-SERVER and then click Add.
  • Click Close, and then click OK.

2. RMS certification pipeline

  • Log on to RMS-SERVER as RMSTEST\RMSADMIN.
  • Click Start, and then click My Computer.
  • Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.
  • Right-click ServerCertification.asmx, click Properties, and then click the Security tab.
  • Click Add.
  • Click Object Types, select the Computers check box, and then click OK.
  • Type MOSS-SERVER, click OK.
  • Click Add.
  • Click Object Types, select the Groups check box, and then click OK.
  • Type RMS-SERVER\RMS Service Group, and then click OK.
  • Click OK to close the ServerCertification.asmx Properties dialog box.

3. Enable Information Rights Management in Office SharePoint Server 2007

  • Log on to MOSS-SERVER as RMSTEST\ADMINISTRATOR.
  • Click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  • Click Operations, and then click Information Rights Management.
  • Click “Use the default RMS server specified in Active Directory”
  • Click OK.

4. Add USER1 and USER2 to the SharePoint site

  • Access the site https://moss-server with rmstest\administrator
  • Click Site Actions, point to Site Settings, and then click People and Groups.
  • Click New, and then click Add Users.
  • Type <User1@rmstest.local;User2@rmstest.local> in the Users/Groups box, and then click OK.
  • Make sure User1 and User2 can access the site

5. Restrict permissions using RMS

  • In the same Office SharePoint Server 2007 site, click Home.
  • Click Document Center, click Documents, click Settings, and then click Document Library Settings.
  • Under the Permissions and Management , click Information Rights Management.
  • Select the Restrict permission to documents in this library on download check box.
  • Type appropriate policy title in the box provided.
  • Type appropriate description
  • Click OK.

Now lets look at RMS-CLIENT

1. Create and upload a Microsoft Word document for testing

  • Log on to RMS-CLIENT as USER1.
  • Using Word create a test document and write any content to it.
  • Access the URL https://moss-server and upload the file to the same document library that was configured for RMS
  • You may have to check in to complete the upload
  • By uploading the document into this library, the document receives the restrictions set on the library.
  • Log off as USER1.

2. Open a protected document

  • Now Log in to RMS-CLIENT as USER2.
  • Login the site https://moss-server and it automatically recognizes as user2
  • Navigate to the document library and try to download the file
  • The following message will appear: "Permission to this document is currently restricted. Microsoft Office must connect to https://rms-server/_wmcs/licensing to verify your credentials and download your permission."

image

  • Click OK.
  • Now the following message will appear: "Verifying your credentials for opening content with restricted permissions".

image

  • Once the file is opened, you can see that he print button is disabled.
  • Now , try to download the file to your local machine and move to any other machine and try to open with any other username other than User1 (user 1 is the author and no RMS permission set will be effective)
  • Even when you download and move the copy of the file to another server / you cannot print the document.

But , when you need a document to be prevented from Editing or saving you can to set the policy from the file itself

From RMS-CLIENT

1. Create a new document

  • Login to the RMS-CLIENT system as USER1
  • Open up the Word and create a sample document and save the file on the desktop
  • Click on the Office Ribbon –>Prepare –>”restrict Permission->Restricted access

image

  • Enable “Restrict permission to this document” and Click on “More options”

  • Click on Add and provide the email ID of the user2 (user2@rmstest.local) and click on OK

  • You can see that the user2 is added in the list with permission level “Read”

    image

  • Access the site https://moss-server and upload the document to the site

  • Log off from RMS-Client and login as User2 and access the site https://moss-server ; download the file just uploaded by user1

  • Open the file and click on “View permission”

image

Note: - Integrating Office SharePoint Server 2007 with RMS does not protect the documents while they are on the server. When a document is uploaded to an Office SharePoint Server 2007 site, the server will remove all protection until a download request is received by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server 2007 server will apply the appropriate restrictions to the document before it is downloaded to the client computer