Showing posts with label AD. Show all posts
Showing posts with label AD. Show all posts

12 September, 2012

Integrating AD RMS and SharePoint

By preparing SharePoint infrastructure to store IRM-protected documents, where the protection capabilities are embedded in the document, it will make these protected documents unsearchable since they cannot be tagged or indexed while the document contents are encrypted.  This is no longer the case with AD RMS and SharePoint 2007 since the IRM policies are only applied when the documents are downloaded and they are stored unencrypted in the libraries, hence making them index able and later searchable.

With SharePoint, IRM protection is available for files that are located in document libraries. SharePoint uses the access control list (ACL) on the library or list to determine the permissions that it applies to a document for the user downloading it. Protection includes the following options with integration of SharePoint with AD RMS:
·         Whether or not users can print documents that are rights managed.
·         Whether the user can run Microsoft Visual Basic for Applications (VBA) and other custom code in the file.
·         The number of days for which the license is valid; after the specified number of days, the license expires and the user must download the file again from the document library.
·         Whether to let users upload file types that do not support IRM.
·         Optionally, the date to stop restricting permissions to the document library; after the specified date passes, Office SharePoint Server removes all rights-management restrictions from the documents in the library.
There are basically three simple steps to integrate AD RMS with SharePoint 2007 as follows:
(Notes: If we are using Windows Server 2008, as it already includes AD RMS client, there is no need to install a separate Windows RMS client as in Windows Server 2003)

Add permissions for the SharePoint server to the AD RMS certification pipeline
·         Log on to the AD RMS server as a local administrator
·         Click Start, and then click Computer
·         Navigate to c:\Inetpub\wwwroot\_wmcs\Certification
·         Right-click ServerCertification.asmx, click Properties, and then click the Security tab
·         Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then click OK two times
·         Click Edit
·         Click Add
·         Click Object Types, select the Computers check box, and then click OK
·         Type the name of the SharePoint web front-end server, and then click OK twice.
·         Repeat the above three steps for other web front-end servers
·         Click OK to close the ServerCertification.asmx Properties sheet. By default the Read & Execute and the Read permissions are configured
·         Reset IIS

Specify RMS server location in SharePoint using Central Administration
·         Open SharePoint 3.0 Central Administration site
·         Click Operations, and then click Information Rights Management
·         Select Use the default RMS server specified in Active Directory.
·         Click OK

Before installation of Windows Rights Management Services Client.


After installation of Windows Rights Management Services Client


Note:  Ensure that Windows Rights Management Services Client (WindowsRightsManagementServicesSP2-KB917275-Client-ENU-X64.exe) is installed on the server. It is very small installation and takes less time. It will come by default with Windows server 2008.

Enable IRM policy to control access to the contents of a document library
1.       Open a SharePoint site and go to the document library where we want to enable the IRM policy
2.       Click Settings, and then click Document Library Settings
3.       Under Permissions and Management, click Information Rights Management
4.       Select the Restrict permission to documents in this library on download check box
5.       In the Permissions policy title box, type in the policy title
6.       In the Permission policy description box, type in the policy description
7.       Click OK

SharePoint will now automatically apply AD RMS rights to the document when it is downloaded from the document library. These rights are determined by the user permission for that library. For example, a user who has Read permission will not be able to modify the document when it is downloaded from the document library.

Notes: When AD RMS protected documents (created outside SharePoint environment) are uploaded to the library with IRM policy enabled, the original document protection policy will supersede the library protection policy when those documents are downloaded or accessed by users.  AD RMS end-to-end security prevents SharePoint from decrypting documents created outside of the SharePoint environment, hence applying the SharePoint library IRM policy to those documents.