Howdy from Texas!
Russell Wright here, from SharePoint Solutions (Dallas office). Thought some of y'all might want to see what I've gone through recently getting Windows Rights Management Server installed on my virtual SharePoint box.
We're going to install Windows Rights Management Server on a server with MOSS. I've found several documents and blogs where multiple server installations are discussed, but I wanted something that would be easy to carry around for demonstration purposes. I was also told that you couldn't do this, but was never told why, so I decided to try.
Why do you want to use Windows Rights Management Server? Let's say you have some documents you are "passing around" that have fairly sensitive information in them and you don't want anyone except those you have specifically authorized to have access to the documents. RMS encapsulates the security in the documents so just having the document doesn't mean you can access it. There are several whitepapers that discuss all the reasons why you'd want to use RMS.
Of course, RMS won't protect you against someone…
- Retyping the information into another document
- Taking a picture of the screen
- Using 3rd party screen capture apps
This installation is intended for the SharePoint professional who uses virtual machines for testing and as a general learning environment; hence, everything is installed on a single server image.
I started with my VM that has MOSS (SP1) installed. What you'll see here are lots of pictures with a little explanation when necessary. If a picture is worth a thousand words, this post is equivalent to about fifty thousand "words" to make you feel good about the installation.
To install Windows Rights Management Services, you need the following:
- Server running in Application Server Role (your SharePoint server)
- SQL Server 2005 Standard (already part of your SharePoint server)
- Message Queuing (a subcomponent under Application Server)
Install message queuing.
I selected the weakened security, but it probably wouldn't matter.
This error might be left over from a previous attempt at installing DRMS. Didn't seem to affect anything.
Here's proof that the service is running. Check to make sure that your SQL Server is still up and running. Mine got stopped, somehow.
And then you need to:
- Install the WRM client
- Install RMS Server
- Configure RMS
- Register SCP in AD so SharePoint can find it
- Configure SharePoint to use the exposed web services
Install the WRM client.
SharePoint needs the WRM client since it will be responsible for managing the rights assigned to a document through a document library.
Installing the WRM client is easy. Download from here and run. Good for 32-bit and 64-bit clients.
This is a very quick installation. Takes about 10-20 seconds. After the installation you'll see a change in the Central Admin for SharePoint. The warning has disappeared.
Install Windows Rights Management Services (with SP2)
WRMS can be downloaded here. Note that there are different versions for x86, x64 and IA-64 architectures. You might want to go ahead and download the Windows Rights Management Toolkit while you're in the downloading mode.
What's this look like when you're done?
Notice we have an RMS Administration web site.
Now that RMS is installed, it's time to provision the thing. This means you have to do a little configuration (or provisioning, whichever word you like to use). This will set up the web services that SharePoint needs from RMS to do its thing.
You want to provision RMS on a site without a host header. If you have several sites running on port 80 and utilize a host header, I've found that RMS doesn't seem to know how to handle that. So, I'd recommend that you install RMS on the default web site on port 80. You might be able to get away with installing it on a site running on a different port, but I didn't try that.
I'll warn you…this next part I tried didn't work correctly because my virtual machine had a failed RMS installation of which I was unaware. If you read through it you'll see where I found and corrected my error. I left all my steps in the procedure, just in case you have similar problems.
After selecting Provision RMS on this Web site on the Default Web Site, here's how I filled out the provisioning form.
Since SQL is running on the local server, I selected Local database for the Configuration database.
RMS service account
Again, since this is a single server installation, I used the Local System account.
Leave it with the default value (i.e. this server).
Private key protection and sub-enrollment
Leave the box ticked and enter a nice, strong password. Don't forget this password, especially in a production environment (which this is not, since it's a single server installation). The server licensor certificate name will default to the name of the server. Let it be (makes me want to sing).
RMS Proxy Settings
Okay, you have to know something about the network that this server is on. As part of the provisioning process it's going to go out on the internet and automatically get a set of keys to run this beast. If you're not connected to the internet you have to perform this process manually. You know, take the key request and get a set of keys created. You can probably do this internally, if you have a key generator service running somewhere.
Anyway, you have to set the proxy server settings here if you want it to get on the internet and you are behind a proxy server. When you tick the boxes you'll see all the proxy server receptacles.
Alas, we are met with an error. No permission to sub-enroll. This is caused by a previous installation that left some stuff (service connection point) registered in Active Directory.
We need to go and correct the problem. From Active Directory Sites and Services, click on the top most node and select Show Services Node from the View menu.
Now, delete the old SCP (service connection point).
Now let's repeat the provisioning process (practice makes perfect)! Make sure the title on the screen says Provision the RMS Root Certification Server and not Provision the RMS Licensing Server. That's the mistake I made originally (since I didn't know that someone had tried to install RMS on my virtual machine in the past).
Notice there is some extra information that needs to be filled out (like the administrative contact) that wasn't part of the Provision the RMS Licensing Server process.
Server Internet Connectivity
Easiest way is to be connected to the internet so it can get a key pair automagically.
Now let's visit the RMS Global Administration page.
Here's an error I received in a previous installation attempt. I think it was when I tried to install on a web site with a host header.
Now we can go to the RMS Global Administration page and begin the configuration process.
We have to register the RMS Service Connection Point in Active Directory. The link is located at the bottom of the administration screen.
That was quick and easy.
We now have the web service installed on the default web app.
We can check the web service and see the methods it provides.
Now we can check and see if the service really works. Start by creating a Word document and then try and protect it. When I created the document, I was logged in as administrator.
I've given Alan read permissions and Connie change permissions.
Log on as Alan to test it out. You'll find that he can't make any changes to the document or print it.
Log in as Connie. She has permissions to change the document. Click on the View Permission… button to see what permissions she has.
After Connie edits the document and saves a new copy we can see that Alan still only has read permission on the new document Connie has created.
In order for SharePoint to use RMS and according to the instructions I read, you need to set the security on ServerCertification.asmx. This is the web service that is used by SharePoint. You have to get past the error shown in the IRM screen on the SharePoint Central Administration.
Here's what ServerCertification.asmx security looks like prior to messing with it.
This is what it needs to look like. Be sure and add the Local Service account.
Here's the trick for our single server installation. Since we didn't create and use a service account during the initial installation of RMS, there is no account in the RMS Service Group. To fix this problem, create a user account, with no special permissions, and put it in the RMS Service Group. I created RMS Service Account with User privileges and placed it in the group and viola!
Chrissy Blanco had a 2006 blog post that kind of sheds some light on the permissions issue, but it was non-conclusive for me due to the varying setups people were using.
Using RMS from SharePoint
I went through all of this so I could have a good demo environment I could easily carry around on my laptop. So, let's see how this works with SharePoint, now that it's installed and working.
Here's a document library that we'll apply IRM to. I'm skipping a lot of details here because I'm counting on you being familiar with SharePoint (but not that familiar with RMS).
Here's the place where you start defining the IRM policy for the document library. Tick the top box and start "getting' after it!" The idea here is that any document downloaded from this library will inherit the IRM rights that have been assigned from SharePoint.
You can set the IRM settings as you like and test it out. Upload a document and then download it while you are logged on as different users. You'll find that the permissions the user had to the document in SharePoint are used to drive the RMS permissions. They are applied to the document as it is downloaded, thus automatically being protected. For example, if you have view only permissions to the document library in SharePoint, those are the permissions you'll have on the RMS protected document when you download it.
When You Don't Have the WRM Client Installed
Here's the dialog you get when you attempt to open a file in an IRM protected document library and you don't have the RMS client installed. In this scenario, I was hitting the MOSS server running on SERVER1 on my notebook from my Windows XP desktop client (which is also the VM host). I have modified my HOSTS file to point to the loopback IP address (192.168.2.10) for SERVER1 and provided portal.awbikes.local as the DNS name.