Export (0) Print
Expand All
2 out of 3 rated this helpful - Rate this topic

Deploying the Azure Rights Management Connector

Published: November 1, 2013

Updated: April 1, 2014

Applies To: Azure Rights Management, Office 365, Windows Server 2012, Windows Server 2012 R2

Use this information to learn about the Microsoft Rights Management (RMS) connector and how you can use it to provide information protection with existing on-premises deployments that use Microsoft Exchange Server, Microsoft SharePoint Server, or file servers that run Windows Server and use the File Classification Infrastructure (FCI) capability of File Server Resource Manager.

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management services. With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.

The RMS connector is a small-footprint service that you install on-premises, on servers that run Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. After you install and configure the connector, it acts as a communications interface (a relay) between the on-premises servers and the cloud service.

RMS connector architecture

The RMS connector supports Exchange Server, SharePoint Server, and file servers that run Windows Server and use File Classification Infrastructure to classify and apply policies to documents in a folder.

noteNote
For supported versions of the on-premises servers, see “On-premises servers that support Azure RMS” in the Applications that support Azure RMS section of the Requirements for Azure Rights Management topic.

Use the following sections to help you plan for, install, and configure the RMS connector. You must then do some post installation configuration so that your servers can use the connector.

Before you install the RMS connector, make sure that the following requirements are in place.

 

Requirement More information

The Rights Management (RMS) service is activated

Activating Azure Rights Management

Directory synchronization between your Active Directory forests and Azure Active Directory

After RMS is activated, Azure Active Directory must be configured to work with the users and groups in your Active Directory database.

noteNote
Although you can use Office 365 and Azure Active Directory by using accounts that you manually create in Azure Active Directory, the RMS connector requires that the accounts in Azure Active Directory are synchronized with Active Directory Domain Services.

 

For more information, see the following resources:

Optional but recommended:

  • Enable federation between your on-premises Active Directory and Azure Active Directory

You can enable identity federation between your on-premises directory and Azure Active Directory. This configuration enables a more seamless user experience by using single sign-on to the RMS service. Without single sign on, users are prompted for their credentials before they can use rights-protected content.

 

For instructions to configure federation by using Active Directory Federation Services (AD FS) between Active Directory Domain Services and Azure Active Directory, see Configure single sign-on.

noteNote
Some configurations for the RMS connector require federation. For example, access to SharePoint 2013 protected libraries from Office 2013 clients requires federation.

A minimum of two computers on which to install the RMS connector:

  • A 64-bit physical or virtual computer running one of the following operating systems:

    • Windows Server 2012 R2

    • Windows Server 2012

    • Windows Server 2008 R2

  • At least 1 GB of RAM

  • A minimum of 64 GB of disk space

  • At least one network interface

  • Access to the Internet via a firewall (or web proxy) that does not require authentication

  • Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector

For fault tolerance and high availability, you must install the RMS connector on a minimum of two computers.

After you have confirmed the prerequisites in the preceding section, use the following instructions to install the RMS connector:

  1. Identify the computers that will run the RMS connector. They must meet the minimum specification listed in the preceding section.

    noteNote
    You will install a single RMS connector (potentially consisting of multiple servers for high availability) per tenant (Office 365 tenant or Azure AD tenant). Unlike Active Directory RMS, you do not have to install an RMS connector in each forest.

  2. Download the source files for the RMS connector from the Microsoft Download Center.

    To install the RMS connector, download RMSConnectorSetup.exe.

    In addition:

    • If you later want to configure the connector from a 32-bit computer, also download RMSConnectorAdminToolSetup_x86.exe.

    • If you want to use the server configuration tool for the RMS connector, to automate the configuration of registry settings on you on-premises servers, also download GenConnectorConfig.ps1.

  3. On the computer on which you want to install the RMS connector, run RMSConnectorSetup.exe with Administrator privileges.

  4. On the Welcome page of the Microsoft Rights Management Connector Setup page, select Install Microsoft Rights Management connector on the computer, and then click Next.

  5. Read and agree to the RMS connector license terms, and then click Next.

To continue, enter an account and password to configure the RMS connector.

Before you can configure the RMS connector, you must enter credentials for an account that has sufficient privileges to configure the RMS connector. You can use an account that has one of the following privileges:

  • Office 365 Tenant Administrator: An account with administrator privileges on your Office 365 tenant.

  • Microsoft RMS Tenant Global Administrator: An account with administrator privileges on the Microsoft RMS tenant.

  • Microsoft RMS connector Administrator: An account in Azure Active Directory that has been granted rights to install and administer the RMS connector for the organization.



    noteNote
    If you want to use the Microsoft RMS connector Administrator account, you must first do the following to assign the RMS connector administrator role:

    1. On the same computer, download and install Windows PowerShell for Rights Management. For more information, see Installing Windows PowerShell for Azure Rights Management.

      Start Windows PowerShell with the Run as administrator command, and connect to the Azure RMS service by using the Connect-AadrmService command:

      Connect-AadrmService                   //provide Office365 Tenant Administrator or Microsoft RMS Tenant Global Administrator credential
      
    2. Then run the Add-AadrmRoleBasedAdministrator command, using just one of the following parameters:

      Add-AadrmRoleBasedAdministrator -EmailAddress <email address> -Role "GlobalAdministrator"
      
      Add-AadrmRoleBasedAdministrator -ObjectId <object id> -Role "ConnectorAdministrator"
      
      Add-AadrmRoleBasedAdministrator -SecurityGroupDisplayName <group Name> -Role "ConnectorAdministrator"
      
      For example, type: Add-AadrmRoleBasedAdministrator -EmailAddress melisa@contoso.com -Role "GlobalAdministrator"

During the RMS installation process, all prerequisite software is validated and installed, Internet Information Services (IIS) is installed if not already present, and the connector software is installed and configured. In addition, RMS is prepared for configuration by creating the following:

  • An empty table of servers that are authorized to use the connector to communicate with RMS. You will add servers to this table later.

  • A set of authorization certificates that are downloaded from RMS and installed on the local computer. The computer stores these certificates in the registry and protects them by using the data protection application programming interface (DPAPI) by using the Local System account credentials.

On the final page of the wizard, do the following, and then click Finish:

  • If this is the first connector that you have installed, do not select Launch connector administrator console to authorize servers at this time. You will select this option after you have installed your second (or final) RMS connector. Instead, run the wizard again on at least one other computer. You must install a minimum of two connectors.

  • If you have installed your second (or final) connector, select Launch connector administrator console to authorize servers.

TipTip
At this point, there is a verification test that you can perform to test whether the web services for the RMS connector are operational:

  • From a web browser, connect to http://<connectoraddress>/_wmcs/certification/servercertification.asmx, replacing <connectoraddress> with the server address or name that has the RMS connector installed. A successful connection displays a ServerCertificationWebService page.

When you have installed the RMS connector on at least two computers, you are ready to authorize the servers that you want to use the RMS connector. For example, your servers running Exchange Server 2013 or SharePoint Server 2013.

To define these servers, run the RMS connector administration tool and add entries to the list of allowed servers. You can run this tool when you select Launch connector administration console to authorize servers at the end of the Microsoft Rights Management connector Setup wizard, or you can run it separately from the wizard.

When you authorize these servers, be aware of the following considerations:

  • Servers that you add will be granted special privileges. All servers that you specify and are configured as Exchange servers will be granted SuperUser privileges for all the content for this RMS tenant. To avoid the security risk of elevation of privileges, be careful not to grant this privilege to accounts that are not going to be used by your organization’s Exchange servers. All servers configured as SharePoint servers or file servers that use FCI will be granted regular user privileges.

  • You can add multiple servers as a single entry by specifying an Active Directory security or distribution group, or a service account that is used by more than one server. When you use this configuration, the group of servers will share the same RMS certificates and will all be considered owners for content that any of them have protected. To minimize administrative overheads, we recommend that you use this configuration of a single group rather than individual servers to authorize your organization’s Exchange servers or a SharePoint server farm.

On the Servers allowed to utilize the connector page, click Add.

On the Allow a server to utilize the connector page, enter the name of the object, or browse to identify the object to authorize.

It is important that you authorize the correct object. For a server to use the connector, the account that runs the on-premises service (for example, Exchange or SharePoint) must be selected for authorization. For example, if the service is running as a configured service account, add the name of that service account to the list. If the service is running as Local System, add the name of the computer object (for example, SERVERNAME$). As a best practice, create a group that contains these accounts and specify the group instead of individual server names.

More information about the different server roles:

  • For servers that run Exchange: You must specify a security group and you can use the default group (All Exchange Servers) that Exchange automatically creates and maintains of all Exchange servers in the forest.

  • For servers that run SharePoint: The default installation is to run the service as Local System. For this default configuration, manually create a security group in Active Directory Domain Services, and add the computer name objects to this group. However, the recommendation configuration is to run SharePoint by using a manually configured service account. For this configuration, do the following:

    1. Add the service account that runs the SharePoint Central Administration service to enable SharePoint to be configured from its administrator console.

    2. Add the account that is configured for the SharePoint App Pool.

    TipTip
    If these two accounts are different, consider creating a single group that contains both accounts to minimize the administrative overheads.

  • For file servers that use File Classification Infrastructure, the associated services run as the Local System account, so you must authorize the computer account for the file servers (for example, SERVERNAME$) or a group that contains those computer accounts.

When you have finished adding servers to the list, click Close.

If you haven’t already done so, you must now configure load balancing for the servers that have the RMS connector installed, and consider whether to use HTTPS for the connections between these servers and the servers that you have just authorized.

After you have installed the second or final instance of the RMS connector, define a connector URL server name and configure a load balancing system.

The connector URL server name can be any name under a namespace that you control. For example, you could create an entry in your DNS system for rmsconnector.contoso.com and configure this entry to use an IP address in your load balancing system. There are no special requirements for this name and it doesn’t need to be configured on the connector servers themselves. Unless your Exchange and SharePoint servers are going to be communicating with the connector over the Internet, this name doesn’t have to resolve on the Internet.

ImportantImportant
We recommend that you don’t change this name after you have configured Exchange or SharePoint servers to use the connector, because you have to then clear these servers of all IRM configurations and then reconfigure them.

After the name is created in DNS and is configured for an IP address, configure load balancing for that address, which directs traffic to the connector servers. You can use any IP-based load balancer for this purpose, which includes the Network Load Balancing (NLB) feature in Windows Server. For more information, see Load Balancing Deployment Guide.

Use the following settings to configure the NLB cluster:

  • Ports: 80 (for HTTP) or 443 (for HTTPS)

    For more information about whether to use HTTP or HTTPS, see the next section.

  • Affinity: None

  • Distribution method: Equal

noteNote
This configuration step is optional, but recommended for additional security.

Although the use of TLS or SSL is optional for the RMS connector, we recommend it for any HTTP-based security-sensitive service. This configuration authenticates the servers running the connector to your Exchange and SharePoint servers that use the connector. In addition, all data that is sent from these servers to the connector is encrypted.

To enable the RMS connector to use TLS, on each server that runs the RMS connector, install a server authentication certificate that contains the name that you will use for the connector. For example, if your RMS connector name that you defined in DNS is rmsconnector.contoso.com, deploy a server authentication certificate that contains rmsconnector.contoso.com in the certificate subject as the common name. Or, specify rmsconnector.contoso.com in the certificate alternative name as the DNS value. The certificate does not have to include the name of the server. Then in IIS, bind this certificate to the Default Web Site.

If you use the HTTPS option, ensure that all servers that run the connector have a valid server authentication certificate that chains to a root CA that your Exchange and SharePoint servers trust. In addition, if the certification authority (CA) that issued the certificates for the connector servers publishes a certificate revocation list (CRL), the Exchange and SharePoint servers must be able to download this CRL.

TipTip
You can use the following information and resources to help you request and install a server authentication certificate, and to bind this certificate to the Default Web Site in IIS:

  • If you use Active Directory Certificate Services (AD CS) and an enterprise certification authority (CA) to deploy these server authentication certificates, you can duplicate and then use the Web Server certificate template. This certificate template uses Supplied in the request for the certificate subject name, which means that you can provide the FQDN of the RMS connector name for the certificate subject name or subject alternative name when you request the certificate.

  • If you use a stand-alone CA or purchase this certificate from another company, see Configuring Internet Server Certificates (IIS 7) in the Web Server (IIS) documentation library on TechNet.

  • To configure IIS to use the certificate, see Add a Binding to a Site (IIS 7) in the in the Web Server (IIS) documentation library on TechNet.

If your connector server is installed in a network that does not have direct Internet connectivity and requires manual configuration of a web proxy server for outbound Internet access, you must configure the registry on the server for the RMS connector.

  1. On the server running the RMS connector, open a registry editor, such as Regedit.

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector

  3. Add the string value of ProxyAddress and then set the Data for this value to be http://<MyProxyDomainOrIPaddress>:<MyProxyPort>

    For example: http://proxyserver.contoso.com:8080

  4. Close the registry editor, and then restart the server or perform an IISReset command to restart IIS.

You can run the RMS connector administration tool from a computer that does not have the RMS connector if it meets the following requirements:

  • A physical or virtual computer running Windows Server 2012 or Windows Server 2012 R2 (all editions), Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (all editions), Windows 8.1, Windows 8, or Windows 7.

  • At least 1 GB of RAM.

  • A minimum of 64 GB of disk space.

  • At least one network interface.

  • Access to the Internet via a firewall (or web proxy).

To install the RMS connector administration tool, run the following files:

  • For a 32-bit computer: RMSConnectorAdminToolSetup_x86.exe

  • For a 64-bit computer: RMSConnectorSetup.exe

If you haven’t already downloaded these files, you can do so from the Microsoft Download Center.

After you have installed and configured the RMS connector, you are ready to configure the on-premises servers to use the connector.

This configuration requires registry settings. To do this, you have two options:

 

Configuration option Advantages Disadvantages

Automatically by using the server configuration tool for Microsoft RMS connector

No direct editing of the registry. This is automated for you by using a script.

No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL.

The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally.

When you run the tool, you must make a connection to a server that is already running the RMS connector.

Manually by editing the registry

No connectivity to a server running the RMS connector is required.

More administrative overheads that are error-prone.

You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command.

You must always make all the prerequisites checks yourself.

ImportantImportant
In both cases, you must manually install any prerequisites and enable Information Rights Management (IRM) functionality on the servers.

For most customers, automatic configuration by using the server configuration tool for Microsoft RMS connector will be the better option, because it provides greater efficiency and reliability than manual configuration.

  1. If you haven’t already downloaded the script for the server configuration tool for Microsoft RMS connector (GenConnectorConfig.ps1), download it from the Microsoft Download Center.

  2. Save the GenConnectorConfig.ps1 file on the computer where you will run the tool. If you will run the tool locally, this must be the server that you want to configure. Otherwise, you can save it any computer.

  3. Decide how to run the tool:

    • Locally: You can run the tool interactively, from the server to be configured. This is useful for a one-off configuration, such as a testing environment.

    • Software deployment: You can run the tool to produce registry files that you then deploy to one or more relevant servers by using a systems management application that supports software deployment, such as System Center Configuration Manager.

    • Group Policy: You can run the tool to produce a script that you give to an administrator who can create Group Policy objects for the servers to be configured. This script creates one Group Policy object for each server type to be configured, which the administrator can then assign to the relevant servers.

  4. Start Windows PowerShell with the Run as an administrator option, and use the Get-help command to read instructions how to the use the tool for your chosen configuration method:

    Get-help GenConnectorConfig.ps1 -detailed
    

When the tool runs, it prompt you to enter the URL of the RMS connector for your organization. Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector. For example, https://connector.contoso.com. The tool then uses that URL to contact the servers running the RMS connector and obtain other parameters that are used to create the required configurations.

Use the following sections for specific information for each service type:

noteNote
After a server is configured to use the connector, client applications that are installed locally on that server might not work with RMS. When this happens, it is because the applications try to use the connector rather than use RMS directly, which is not supported.

In addition, if Office 2010 is installed locally on an Exchange server, the client app’s IRM features might work from that computer after the server is configured to use the connector, but this is not supported.

In both scenarios, you must install the client applications on separate computers that are not configured to use the connector. They will then correctly use RMS directly.

To use the RMS connector, a server running Exchange must be running one of the following software versions:

  • Exchange Server 2013 with Exchange 2013 Cumulative Update 3

  • Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 2

You will also need to install on the server a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

ImportantImportant
If these versions or later versions of Exchange and the RMS client are not installed, you will not be able to configure Exchange to use the connector. Check that these versions are installed before you continue.

  1. Do one of the following:

  2. Enable IRM functionality in Exchange. For more information, see Information Rights Management Procedures.

Use the tables in the following sections only if you want to manually add or check registry settings on the servers, which configures the servers to use the RMS connector. Instructions for when you use these tables:

  • MicrosoftRMSURL is your organization’s Microsoft RMS service URL. To find this value:

    1. Run the Get-AadrmConfiguration cmdlet for Azure RMS. If you haven’t already installed the Windows PowerShell module for Azure RMS, see Installing Windows PowerShell for Azure Rights Management.

    2. From the output, identify the LicensingIntranetDistributionPointUrl value.

      For example: LicensingIntranetDistributionPointUrl   : https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensing

    3. From the value, remove /_wmcs/licensing from this string. The remaining string is your Microsoft RMS URL. In our example, the Microsoft RMS URL would be the following value:

      https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com

  • ConnectorFQDN is the name that you defined in DNS for the connector. For example, rmsconnector.contoso.com.

  • Use the HTTPS prefix for the connector URL if you have configured the connector to use HTTPS to communicate with your on-premises servers. For more information, see the Configuring the RMS connector to use HTTPS section in this topic. The Microsoft RMS URLs always use HTTPS.

 

Registry path Type Value Data

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation\Activation

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/certification

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/Licensing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\CertificationServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/certification

One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://ConnectorFQDN/_wmcs/certification

  • https://ConnectorFQDN/_wmcs/certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\LicenseServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/licensing

One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://ConnectorFQDN/_wmcs/licensing

  • https://ConnectorFQDN/_wmcs/licensing

 

Registry path Type Value Data

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation\Activation

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/certification

HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/Licensing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\CertificationServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/certification

One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://ConnectorFQDN/_wmcs/certification

  • https://ConnectorFQDN/_wmcs/certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\LicenseServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/licensing"

One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://ConnectorFQDN/_wmcs/licensing

  • https://ConnectorFQDN/_wmcs/licensing

To use the RMS connector, a server running SharePoint must be running one of the following software versions:

  • SharePoint Server 2013

  • SharePoint Server 2010

A SharePoint 2013 server must also be running the latest version of the MSIPC client version 2.1. You can download the latest MSIPC client from the Microsoft Download Center.

WarningWarning
There are multiple versions of the MSIPC 2.1 client, so make sure to install the version referenced in the article from the Download Center. Or, install a later version of the client.

You can verify the client version by checking the version number of MSIPC.dll, which is located in \Program Files\Active Directory Rights Management Services Client 2.1. The properties dialog box should show version 1.0.622.34 or later.

A server running SharePoint 2010 must have installed a version of the MSDRM client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008, and the minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

  1. Do one of the following:

  2. Enable IRM functionary in SharePoint. For more information, see Plan Information Rights Management (SharePoint Server 2010).

    When you follow these instructions, you must configure SharePoint to use the connector by specifying Use this RMS server, and then enter the connector URL that you configured. Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector. For example, https://connector.contoso.com.

    After IRM is enabled on a SharePoint farm, you can enable IRM on individual libraries by using the Information Rights Management option on the Library Settings page for each of the libraries.

    ImportantImportant
    For SharePoint to access RMS by using the connector, you must authorize the corresponding accounts in the RMS connector administration tool. If you haven’t already done this, see Authorizing servers to use the RMS connector in this topic.

Use the table in the following section only if you want to manually add or check registry settings on a server that runs SharePoint 2013.

Instructions for when you use this table:

  • MicrosoftRMSURL is your organization’s Microsoft RMS service URL. To find this value:

    1. Run the Get-AadrmConfiguration cmdlet for Azure RMS. If you haven’t already installed the Windows PowerShell module for Azure RMS, see Installing Windows PowerShell for Azure Rights Management.

    2. From the output, identify the LicensingIntranetDistributionPointUrl value.

      For example: LicensingIntranetDistributionPointUrl   : https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensing

    3. From the value, remove /_wmcs/licensing from this string. The remaining string is your Microsoft RMS URL. In our example, the Microsoft RMS URL would be the following value:

      https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com

  • ConnectorFQDN is the name that you defined in DNS for the connector. For example, rmsconnector.contoso.com.

  • Use the HTTPS prefix for the connector URL if you have configured the connector to use HTTPS to communicate with your on-premises servers. For more information, see the Configuring the RMS connector to use HTTPS section in this topic. The Microsoft RMS URLs always use HTTPS.

 

Registry path Type Value Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\LicensingRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/licensing

http://ConnectorFQDN/_wmcs/licensing

To use the RMS connector and File Classification Infrastructure to protect documents, the file server must be running one of the following operating systems:

  • Windows Server 2012 R2

  • Windows Server 2012

  1. Do one of the following:

  2. Create classification rules and file management tasks to protect documents with RMS policies. For more information, see File Server Resource Manager Overview in the Windows Server documentation library.

Use the table in the following section only if you want to manually add or check registry settings on a file server that uses the File Classification Infrastructure to protect documents.

Instructions for when you use this table:

  • MicrosoftRMSURL is your organization’s Microsoft RMS service URL. To find this value:

    1. Run the Get-AadrmConfiguration cmdlet for Azure RMS. If you haven’t already installed the Windows PowerShell module for Azure RMS, see Installing Windows PowerShell for Azure Rights Management.

    2. From the output, identify the LicensingIntranetDistributionPointUrl value.

      For example: LicensingIntranetDistributionPointUrl   : https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensing

    3. From the value, remove /_wmcs/licensing from this string. The remaining string is your Microsoft RMS URL. In our example, the Microsoft RMS URL would be the following value:

      https://5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com

  • ConnectorFQDN is the name that you defined in DNS for the connector. For example, rmsconnector.contoso.com.

  • Use the HTTPS prefix for the connector URL if you have configured the connector to use HTTPS to communicate with your on-premises servers. For more information, see the Configuring the RMS connector to use HTTPS section in this topic. The Microsoft RMS URLs always use HTTPS.

 

Registry path Type Value Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing

Reg_SZ

Default

http://ConnectorFQDN/_wmcs/licensing

Now that the RMS connector is installed and configured, and your servers are configured to use it, users can protect and consume email messages, documents, and pictures. To make this easy for them, deploy the RMS sharing application. For more information, see Rights Management sharing application administrator guide.

In addition, you might consider the following to help you monitor the RMS connector and your organization’s usage of RMS:

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.