Windows Server 2012 AD RMS with SharePoint IRM a Step by Step Guide
I have included below for your review and use a copy of a document that I recently created for a 3 Server DEV environment for SharePoint IRM
Create Service Accounts
|
Account Name |
User Logon Name |
Group |
|
ADRMSSRVC |
ADRMS |
|
|
ADRMSADMIN |
ADRMSADMIN |
Enterprise Admins |
Server Names Operating System and Role / Applications
|
Server Names |
OS |
Roles / Applications |
|
DSI-DC1 |
Windows Server 2012 |
AD DS, ADRMS, DNS |
|
DSI-SQL |
Windows Server 2012 |
SQL Server 2012 |
|
DSI-SP2010 |
Windows Server 2012 |
SharePoint 2010 |
AD RMS Installation
1. Log on to Domain Controller DSI-DC1 as administrator.
2. Click on Desktop then click Server Manager then click Manage and Add Role and Features
3. Read the Before You Begin section, and then click Next.
Add Role AD RMS
On the Select Server Roles page, select the Active Directory Rights Management Services check box.
Add Required Features
The Add Required Features page appears informing you of the AD RMS required role services and features. Click Next.
Select Additional Features
The Add Additional Features page appears, Click Next
Active Directory Rights Management Services Introduction
Read the AD RMS introduction page, and then click Next.
Select Role Services
On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.
Web Server Role (IIS)
Read the Web Server Role (IIS) introduction page, and then click Next.
Select Role Services
On the Select Role Services page, verify that the Web Server Services, and then click Next.
Confirm Installation Selections
Confirm the AD RMS Installation selections, and then click Next.
Installation Progress
Active Directory Rights Management Configuration
Create a new AD RMS Cluster
Click the Create a new AD RMS root cluster option, and then click Next.
Select Configuration Database Server
Click the Specify a database server and a instance option type DSI-SQL , and choose Default Instance, then Click Next. If you have any issues connecting to the instance you may have to enable the SQL Brower. This is especially the case if you are configuring AD RMS on Windows Server 2012 that has the AD DS Role.
Specify Service Account Requires Domain Admin User Rights
Click Specify, type DIMENSION-SI\ADRMSSVC, click Next.
Specify Cryptographic Mode
Specify Key Storage Mode
Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.
Specify Cluster Key Password
Type a strong password in the Password box and in the Confirm password box, and then click Next.
Specify The AD RMS Web Site
Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be DEFAULT Web Site.
Specify Cluster FQDN
Click Connection Type Use an SSL-encrypted connection (https://). In the Fully-Qualified Domain Name box, type https://adrms.dimension-si.com, and then click Next
Choose SSL Certificate
Click the Create a self-signed certificate for SSL encryption option, and then click Next.
Name the Server Licensor Certificate
Type a name that will help you identify DSI-DC1-ADRMS in the Friendly name box, and then click Next.
Register Service Connection Point
Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.
Confirm Installation Selections
Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation and Click Close.
Confirm Installation Results
Sign Out
Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS
By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must add the permissions in order for Office SharePoint Server 2010 to integrate with AD RMS.
Add DSI-SP2010 to the AD RMS Certification Pipeline
1. Log on to DSI-DC1 as DIMENSION-SI\Administrator.
2. Click Start, and then click Computer.
3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.
4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.
5. Click Advanced, click Enable Inheritance, select the Include inheritable permissions from this object’s parent check box, and then click OK two times.
6. Click Edit, and then click Add.
7. Click Object Types, select the Computers check box, and then click OK.
8. Type DSI-SP2010, and then click OK.
9. Click OK to close the ServerCertification.asmx Properties sheet.
By default the Read & execute and the Read permissions are configured for the DSI-DC1 computer account object and all other accounts inherited from the parent folder.
10. Click Start, and then click Command Prompt.
11. Type iisreset, and then press ENTER.
Once the AD RMS cluster certification pipeline is inheriting and you have added DSI-SP2010, you must configure Office SharePoint Server 2010 to use the AD RMS cluster:
SharePoint 2010 Information Rights Management Configuration Guidance
Before using IRM, you must have a Windows Rights Management Services (RMS) server to connect to. In addition, you must have installed the Windows Rights Management Services Client Service Pack 2 on every front-end Web server in the farm running SharePoint Server 2010.
SharePoint IRM Configuration Step by Step
1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
2. On the Security page, in the Information Policy section, click Configure information rights management.
Central Administration > Security > Information Rights Management
Use the default RMS server specified in Active Directory Select this option if your organization has specified an RMS server in Active Directory Domain Services (AD DS) and Click OK
Event Log Errors and Reference
If you are unable to open a document from an IRM protected library you may receive two similar events
Event ID 5085 (Windows SharePoint Services health model)
Reference: http://technet.microsoft.com/en-us/library/cc561091(v=office.12)
Event ID 5065 (Windows SharePoint Services health model)
‘Reference: http://technet.microsoft.com/en-us/library/cc561018(v=office.12)
As the event states the most likely event is the User email Address has not been configured. However, the documentation has not been updated to support SharePoint 2010. The SharePoint 2010 Architecture has change and you now must ensure that the User Profile Service has synced.
If users attempt to open IRM Protected documents prior to the sync, they will NOT open and you will receive the two errors 5065, 5085 listed above in the event log. Unfortunately, the two references I list above do not allow for comment or I would have added the comment to the technet library
Cheers,
-Ivan
4 Comments
Hello,
First of all, thanks for your great tutorial.
I had had the following error when I tried to connect Sharepoint to ADRMS.
“Trying to connect SharePoint to your AD RMS server gives you this message “The required Windows Rights Management client is present but could not be configured properly”
I googled it but none of the solutions proposed worked for me. I was thinking it was a Access Rights problem.
But no… In fact, it was due to the usage of a RSA 2048 key. The solution was to install the KB2627273 (http://support.microsoft.com/kb/2627273) on the Sharepoint Server WFE.
After that, everything works perfectly.
Hope this will help someone else 😉
@+
thanks for the post.
can I enable the RMS server role on a server having Sharepoint Server 2013 already installed?
and
can I enable the RMS server role on a server having SQL Server already installed?
Yes,
but I have never done so. We always provision two separate VMs on two separate Hosts so IRM / AD-RMS is HA
Cheers,
-Ivan
In my case it was not the KB2627273 but upgrading SP2013 from SP1 to Feb2015 updates (KB2920801) helped.
But probably the same root cause (2048 bit RSA).