Step 2: Configuring AD RMS to Work with SPS-SRV

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

After Office SharePoint Server 2007 has been installed, there are several tasks that must be completed to integrate Office SharePoint Server 2007 with AD RMS:

  • Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer zone.

  • Add three user accounts, CPANDL\Administrator, Nicole Holliday, and Stuart Railson, to the SharePoint site.

  • Add the Office SharePoint Server 2007 server to the AD RMS server certification pipeline.

  • Enable Information Rights Management in Office SharePoint Server 2007.

  • Restrict permissions by using AD RMS.

First, add the Office SharePoint Server 2007 site to the Internet Explorer Local Intranet zone on the Office SharePoint Server 2007 computer.

To add SPS-SRV to Local Intranet

  1. Log on to SPS-SRV as cpandl\administrator.

  2. Click Start, point to Control Panel, and then click Internet Options.

  3. Click the Security tab, click Local Intranet, and then click the Sites button.

  4. Type https://SPS-SRV, and then click Add.

  5. Click Close, and then click OK.

Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office SharePoint Server 2007 integration with AD RMS can be verified later in this guide:

To add Nicole Holliday and Stuart Railson to the SharePoint site

  1. Click Start, point to All Programs, and then click Internet Explorer.

  2. Type https://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that was created during installation.

  3. Click Site Actions, point to Site Settings, and then click People and Groups.

  4. Click New, and then click Add Users.

  5. Type nhollida@cpandl.com;srailson@cpandl.com in the Users/Groups box, and then click OK. A list of users who have permission to use the SharePoint site is displayed.

Next, add the Office SharePoint Server 2007 server and AD RMS Service Group to the AD RMS cluster server certification pipeline.

Important

By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must add the permissions in order for Office SharePoint Server 2007 to integrate with AD RMS.

To add SPS-SRV to the AD RMS Certification Pipeline

  1. Log on to ADRMS-SRV as CPANDL\Administrator.

  2. Click Start, and then click Computer.

  3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.

  4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.

  5. Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then click OK two times.

  6. Click Edit, and then click Add.

  7. Click Object Types, select the Userscheck box, and then click OK.

  8. If you are following the recommended practices, the IIS application pool identities used by SharePoint Central Administration as well as the current MOSS web application will require Read & Execute permissions on the ServerCertification.asmx file.

    To set these permissions, type the name of the user identity for the IIS application pool associated with SharePoint Central Administration (such as "MOSS Farm Account"), and then click OK.

    Repeat the previous two steps and next type the name of the user identity for the IIS application pool associated with your MOSS web application (such as "MOSS SSP Application Identity"), and then click OK.

  9. Click OK to close the ServerCertification.asmx Properties sheet.

    By default the Read & execute and the Read permissions are configured for the IIS application pool identity account objects and all other accounts inherited from the parent folder.

  10. Click Start, and then click Command Prompt.

  11. Type iisreset, and then press ENTER.

Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can communicate with it, you must configure Office SharePoint Server 2007 to use the AD RMS cluster:

To enable Information Rights Management in Office SharePoint Server 2007

  1. Log on to SPS-SRV as CPANDL\administrator.

  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  3. Click Operations, and then click Information Rights Management.

  4. Select the Use the default RMS server specified in Active Directory option, and then click OK.

Create an Office SharePoint Server 2007 permission policy on the default document library. This permission policy will be used to restrict the ability to print any documents that are uploaded to the document library:

To restrict permissions using AD RMS

  1. Log on as cpandl\Administrator.

  2. Click Start, point to All Programs, and then click Internet Explorer.

  3. Type https://SPS-SRV in the address bar, and then click Go.

  4. Click Document Center, click Documents, click Settings, and then click Document Library Settings.

  5. Under the Permissions and Management heading, click Information Rights Management.

  6. Select the Restrict permission to documents in this library on download check box.

  7. Type CPANDL Protected in the Permissions policy title box.

  8. Type Restrict CPANDL employees from printing in the Permission policy description box.

  9. Click OK.

Note

Office SharePoint Server 2007 will automatically apply AD RMS rights to the document when it is downloaded from the Office SharePoint Server 2007 site. These rights are determined by the Office SharePoint Server 2007 group membership for that site. For example, a user who is in the Visitors Office SharePoint Server 2007 group will not be able to modify the document when it is downloaded from the Office SharePoint Server 2007 site.