Single Server RMS and MOSS 2007 Installation from a SharePoint Perspective

Russell Wright here, from SharePoint Solutions (Dallas office). Thought some of y'all might want to see what I've gone through recently getting Windows Rights Management Server installed on my virtual SharePoint box.

Overview

We're going to install Windows Rights Management Server on a server with MOSS. I've found several documents and blogs where multiple server installations are discussed, but I wanted something that would be easy to carry around for demonstration purposes. I was also told that you couldn't do this, but was never told why, so I decided to try.

Why do you want to use Windows Rights Management Server? Let's say you have some documents you are "passing around" that have fairly sensitive information in them and you don't want anyone except those you have specifically authorized to have access to the documents. RMS encapsulates the security in the documents so just having the document doesn't mean you can access it. There are several whitepapers that discuss all the reasons why you'd want to use RMS.

Of course, RMS won't protect you against someone…

1. Retyping the information into another document2. Taking a picture of the screen3. Using 3rd party screen capture apps

This installation is intended for the SharePoint professional who uses virtual machines for testing and as a general learning environment; hence, everything is installed on a single server image.

The Process

I started with my VM that has MOSS (SP1) installed. What you'll see here are lots of pictures with a little explanation when necessary. If a picture is worth a thousand words, this post is equivalent to about fifty thousand "words" to make you feel good about the installation.

To install Windows Rights Management Services, you need the following:

Server running in Application Server Role (your SharePoint server) SQL Server 2005 Standard (already part of your SharePoint server) Message Queuing (a subcomponent under Application Server)

Install message queuing.

I selected the weakened security, but it probably wouldn't matter.

This error might be left over from a previous attempt at installing DRMS. Didn't seem to affect anything.

Here's proof that the service is running. Check to make sure that your SQL Server is still up and running. Mine got stopped, somehow.

And then you need to:

Install the WRM client Install RMS Server Configure RMS Register SCP in AD so SharePoint can find it Configure SharePoint to use the exposed web services

Install the WRM client.

SharePoint needs the WRM client since it will be responsible for managing the rights assigned to a document through a document library.

Installing the WRM client is easy. Download from here and run. Good for 32-bit and 64-bit clients.

This is a very quick installation. Takes about 10-20 seconds. After the installation you'll see a change in the Central Admin for SharePoint. The warning has disappeared.

Install Windows Rights Management Services (with SP2)

WRMS can be downloaded here. Note that there are different versions for x86, x64 and IA-64 architectures. You might want to go ahead and download the Windows Rights Management Toolkit while you're in the downloading mode.

What's this look like when you're done?

Notice we have an RMS Administration web site.

Provision RMS

Now that RMS is installed, it's time to provision the thing. This means you have to do a little configuration (or provisioning, whichever word you like to use). This will set up the web services that SharePoint needs from RMS to do its thing.

You want to provision RMS on a site without a host header. If you have several sites running on port 80 and utilize a host header, I've found that RMS doesn't seem to know how to handle that. So, I'd recommend that you install RMS on the default web site on port 80. You might be able to get away with installing it on a site running on a different port, but I didn't try that.

I'll warn you…this next part I tried didn't work correctly because my virtual machine had a failed RMS installation of which I was unaware. If you read through it you'll see where I found and corrected my error. I left all my steps in the procedure, just in case you have similar problems.

After selecting Provision RMS on this Web site on the Default Web Site, here's how I filled out the provisioning form.

Configuration database

Since SQL is running on the local server, I selected Local database for the Configuration database.

RMS service account

Again, since this is a single server installation, I used the Local System account.

Cluster URL

Leave it with the default value (i.e. this server).

Private key protection and sub-enrollment

Leave the box ticked and enter a nice, strong password. Don't forget this password, especially in a production environment (which this is not, since it's a single server installation). The server licensor certificate name will default to the name of the server. Let it be (makes me want to sing).

RMS Proxy Settings

Okay, you have to know something about the network that this server is on. As part of the provisioning process it's going to go out on the internet and automatically get a set of keys to run this beast. If you're not connected to the internet you have to perform this process manually. You know, take the key request and get a set of keys created. You can probably do this internally, if you have a key generator service running somewhere.

Anyway, you have to set the proxy server settings here if you want it to get on the internet and you are behind a proxy server. When you tick the boxes you'll see all the proxy server receptacles.

Alas, we are met with an error. No permission to sub-enroll. This is caused by a previous installation that left some stuff (service connection point) registered in Active Directory.

We need to go and correct the problem. From Active Directory Sites and Services, click on the top most node and select Show Services Node from the View menu.

Now, delete the old SCP (service connection point).

Now let's repeat the provisioning process (practice makes perfect)! Make sure the title on the screen says Provision the RMS Root Certification Server and not Provision the RMS Licensing Server. That's the mistake I made originally (since I didn't know that someone had tried to install RMS on my virtual machine in the past).

Notice there is some extra information that needs to be filled out (like the administrative contact) that wasn't part of the Provision the RMS Licensing Server process.

Server Internet Connectivity

Easiest way is to be connected to the internet so it can get a key pair automagically.

Now let's visit the RMS Global Administration page.

Here's an error I received in a previous installation attempt. I think it was when I tried to install on a web site with a host header.

Now we can go to the RMS Global Administration page and begin the configuration process.

We have to register the RMS Service Connection Point in Active Directory. The link is located at the bottom of the administration screen.

That was quick and easy.

We now have the web service installed on the default web app.

We can check the web service and see the methods it provides.

Now we can check and see if the service really works. Start by creating a Word document and then try and protect it. When I created the document, I was logged in as administrator.

I've given Alan read permissions and Connie change permissions.

Log on as Alan to test it out. You'll find that he can't make any changes to the document or print it.

Log in as Connie. She has permissions to change the document. Click on the View Permission… button to see what permissions she has.

After Connie edits the document and saves a new copy we can see that Alan still only has read permission on the new document Connie has created.

In order for SharePoint to use RMS and according to the instructions I read, you need to set the security on ServerCertification.asmx. This is the web service that is used by SharePoint. You have to get past the error shown in the IRM screen on the SharePoint Central Administration.

s

Here's what ServerCertification.asmx security looks like prior to messing with it.

This is what it needs to look like. Be sure and add the Local Service account.

Here's the trick for our single server installation. Since we didn't create and use a service account during the initial installation of RMS, there is no account in the RMS Service Group. To fix this problem, create a user account, with no special permissions, and put it in the RMS Service Group. I created RMS Service Account with User privileges and placed it in the group and viola!

Chrissy Blanco had a 2006 blog post that kind of sheds some light on the permissions issue, but it was non-conclusive for me due to the varying setups people were using.

Using RMS from SharePoint

I went through all of this so I could have a good demo environment I could easily carry around on my laptop. So, let's see how this works with SharePoint, now that it's installed and working.

Here's a document library that we'll apply IRM to. I'm skipping a lot of details here because I'm counting on you being familiar with SharePoint (but not that familiar with RMS).

Here's the place where you start defining the IRM policy for the document library. Tick the top box and start "getting' after it!" The idea here is that any document downloaded from this library will inherit the IRM rights that have been assigned from SharePoint.

You can set the IRM settings as you like and test it out. Upload a document and then download it while you are logged on as different users. You'll find that the permissions the user had to the document in SharePoint are used to drive the RMS permissions. They are applied to the document as it is downloaded, thus automatically being protected. For example, if you have view only permissions to the document library in SharePoint, those are the permissions you'll have on the RMS protected document when you download it.

When You Don't Have the WRM Client Installed

Here's the dialog you get when you attempt to open a file in an IRM protected document library and you don't have the RMS client installed. In this scenario, I was hitting the MOSS server running on SERVER1 on my notebook from my Windows XP desktop client (which is also the VM host). I have modified my HOSTS file to point to the loopback IP address (192.168.2.10) for SERVER1 and provided portal.awbikes.local as the DNS name.

Posted by Russell Wright at 1/06/2008 09:17:00 PM ShareThisLabels: moss 2007, sharepoint security

12 comments:

Jason said...

Good stuff. Thought I may post some advice for an enterprise environment.

1. Don't use the localsystem account as the RMS service account. You should create an actual account in the AD and use it, to avoid authentication problems.

2. Use cname records for your SQL server and cluster URL for disaster recovery reasons. The cluster URL that you specify, will be embedded into every piece of RMS content you create, and deciding to change it later, when you move to another machine will be problematic. Using a cname record you just need to change the A record it is pointing to to the new host.

3. The user that you add to servercertification.asmx will vary depending on how you installed MOSS, and for which site in particular you are authorizing. If you used the network service account then you need to add machinename$ to the list of users. If you used a specific service account you would add that.

4. If your going to use https, make sure you specify this during provisioning, as once again, the licensing URL that issued the CLC to the user publishing the content will be embedded into the content, and changing it later is a bit of a mess.

Thanks.

1/07/2008 1:35 PM Brad said...

I have followed your steps, however when I attempt to open a Word document in an IRM-enabled document library, Word opens but the document doesn't load into Word. Is there any other setting that needs to be configured? I think I'm close but may be missing a key step.

ThanksBrad

1/29/2008 1:17 PM Russell Wright said...

I am now having similar issues. Not sure why. When I turn on IRM for a library, it's like the browser thinks the link to the document is not a valid link and I can't download the document. When I take off IRM, it will download. I'm investigating...

1/31/2008 1:30 PM Russell Wright said...

Well, I believe I found the problem. Upon investigating the Application Event Viewer I found IRM 5133 and 5056 errors. This points to an problem with RMS servicing SharePoint requests due to a problem with permissions on C:\Inetpub\wwwroot\_wmcs\Certification\ServerCertification.asmx. After going back and adding the Local System account and doing an IISRESET, it began functioning as expected. I don't know why it was working in the first place without this account, but I swear it was!

1/31/2008 3:19 PM Gleb said...

Hello!Do you know if I can use third party criptoprovider with RMS for Sharepoint 2007?

2/14/2008 11:39 PM @m!th said...

hello friends,

As russel mention above i am also facign the same problem .... broswer tells that the "link to the document is not a valid link".

Can you clarify the solution mentioned in the above answer .. i am really in nedd of thsi solution.

2/28/2008 5:05 AM Russell Wright said...

I'm not really sure I understand what needs to be clarified? I need more detail from you in order to attempt to answer your question.

3/03/2008 2:07 PM Manish said...

I am facing an issue with RMS. I have configured RMS on our server, and it is working fine when we are testing, but when we deploy the RMS Client on the clients PC, we encountered a problem, which is some users PC can open RMS Protected document, and some can't. The error message that they get is "This document has been IRM protected by policy", then that is it, and it won't open the RMS Protected documents.

Can anybody help in this regard.Manishhttp://manish-sharepoint.blogspot.com/

4/14/2008 5:15 AM Steve Johnson said...

Despite this being on a single server I used this as a template for getting RMS working on a small server farm. Good work! Saved me about two of endless pratting about!

Many thanks for sharing your work with us all

Much appreciated

5/20/2008 12:42 PM pradeep said...

I am also getting above error. Please give comments on the same

6/11/2008 5:52 AM Vicente said...

Hi,

I went to the operations page inmy wss admin, clicked information rights management, choose Use thedefault RMS server specified in Active Directory then OK and got "Therequired Windows Rights Management client is present but could not beconfigured properly. IRM will not work until the WRM client isconfigured properly. "

What's happening?

thanks

2/27/2009 3:39 AM VST said...

Hi,

Great article with screenshots. I'm trying to find information about the cost of using IRM with MOSS. Does it require WRM/IRM CALs for each user?

We are planning to buy MOSS 2007 with Enterprise CALs. What else do you need to buy to have this functionality.

Thanks,

4/21/2009 2:20 PM