Active Directory Rights Management Services is a powerful tool for safeguarding sensitive digital information and also provides persistent protection as defense in depth methodology. With AD RMS you can create rights management policies for
Microsoft Office (Word/Excel/PowerPoint/Outlook/PDF). E.g. who can open, modify, print, forward, or take other actions with the information. Also with its persistent protection feature it provides advance level of protection based on user rights within the document itself, e.g. controlling how information is used even after it has been opened by intended recipients.
Problem:
Recently I had a chance to troubleshoot one AD RMS implementation on Windows Server 2012 RTM version, where customer deployed RMS with Cryptographic Mode 2. Cryptographic mode 2 provides high level of protection by doubling the encryption level than cryptographic mode 1. After the successful implementation of AD RMS (Windows Server 2012) with cryptographic mode 2, customer found that after AD RMS setup Outlook 2010 SP1 based users those have mailbox on company’s e-mail server (Exchange Server 2010 SP1) cannot use RMS feature neither in Outlook nor with OWA.
Cause:
While starting the troubleshooting this issue, we found that AD RMS cryptographic mode 2 is not support by Exchange Server 2010 SP1, and it is only supported with Exchange Server 2010 SP3 and on-wards When Exchange Server 2010 SP1 runs within an environment where AD RMS is configured with cryptographic mode 2 Exchange Server 2010 SP1 IRM feature fails to get the server licensing certificate from the RMS Server.
Solution:
The preferred solution to fix such problem is to upgrade the Exchange Server 2010 version to latest service pack level, which is also quite imperative because Microsoft has already been stopped support Exchange Server 2010 SP1 in past. Also keep in mind that Cryptographic Mode cannot be downgraded from mode 2 to mode 1. And since my customer didn’t want to upgrade their Exchange 2010 version, so the other possible solution was to simply decommission the newly deployed AD RMS installation and install a fresh copy with AD RMS with cryptographic mode 1.
For those of you who are interested to know the steps can be followed to setup new AD RMS environment on Windows Server 2012 for cryptographic mode 1, please go through the below mentioned steps in sequence:
- Install AD RMS role on Windows Server 2012 from Server Manager, and after choosing dedicated SQL Server version, make sure you select Cryptographic Mode 1.
Before you start installation your configuration of AD RMS should look like below:
Now log off from the system and re-login so you can be able to open RMS Admin Console.
- In the second step, we will create a universal mail-enabled security group with a possible name of RMS Super Admins, and would add the FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@domain.com system federated mailbox into this. This group we will add into the RMS Super Admin section within the RMS Admin Console.
- The third step would be to configure the NTFS security permission for Exchange Server security group on ServerCertification.ASMX RMS file on the RMS Server. For doing this go to “C:\inetpub\wwwroot\_wmcs\certification\ServerCertification.asmx” and take properties of ServerCertification.asmx and add “Exchange Servers” security group and give read/execute and read permission.
- In the fourth step we would go into the Exchange IRM feature enabling process. Execute the “Set-IRMConfiguration -InternalLicensingEnabled $true” Exchange Management Shell CMD-Let to globally enable the IRM feature on Exchange Server. Also to verify your Exchange integration with RMS, you can perform the test-irmconfiguration test within Exchange Server 2010. See the below example for this test:
| [PS] C:\Windows\system32>Test-IRMConfiguration -Sender tom@domain.comResults : Checking Exchange Server …- PASS: Exchange Server is running in Enterprise.Loading IRM configuration …
– PASS: IRM configuration loaded successfully. Retrieving RMS Certification Uri … – PASS: RMS Certification Uri: https://rms.domain.com/_wmcs/certification. Verifying RMS version for https://rms.domain.com/_wmcs/certification … – PASS: RMS Version verified successfully. Retrieving RMS Publishing Uri … – PASS: RMS Publishing Uri: https://rms.domain.com/_wmcs/licensing. Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) … – PASS: RAC and CLC acquired. Acquiring RMS Templates … – PASS: RMS Templates acquired. Retrieving RMS Licensing Uri … – PASS: RMS Licensing Uri: https://rms.domain.com/_wmcs/licensing. Verifying RMS version for https://rms.domain.com/_wmcs/licensing … – PASS: RMS Version verified successfully. Creating Publishing License … – PASS: Publishing License created. Acquiring Prelicense for ‘tom@domain.com’ from RMS Licensing Uri (https://rms.domain.com/_wmcs/licensing) .. . – PASS: Prelicense acquired. Acquiring Use License from RMS Licensing Uri (https://rms.domain.com/_wmcs/licensing) … – PASS: Use License acquired. OVERALL RESULT: PASS |
You can see in the above table that when we ran test-IRMconfiguration CMD-Let with specifying one valid Exchange mailbox as sender, it tested that the sender can receive the certificate and server license from RMS and for each type of test it provided status as pass.
So far our AD RMS system is configured with Exchange Server 2010, and if you want you can try sending e-mails using OWA or Outlook with restriction and you would be able to see that RMS features are working all fine. So what next, if you want you can create custom RMS template for creation departmental or company wide rights management policies. Check out this TechNet article for creating custom templates.
I hope at the end of reading this article you would be able to install and configure AD RMS role on Windows Server 2012 and also its integration with Exchange Server.
Cheers!
Azure Hybrid & Cloud Migration Blog 
Leave a comment