Monday, 19 August 2013

Configuring Information Rights Management in SharePoint 2013

In this article, we will go through the steps of configuring Information Rights Management in SharePoint 2013.

I'm using Active Directory Rights Management Service which is in a cluster for the SharePoint 2013 server.

 
Overview of the demo environment I am using.
  • Contoso DC: DNS, Active Directory Domain Controller
  • Contoso IRM: Active Directory Rights Management Service A
  • Contoso CA: Active Directory Rights Management Service B
  • SQL01: Primary Replica SQL Server 2012
  • SQL02: Secondary Replica SQL Server 2012
  • SQLAAG01: Always on Availability Group 01
  • FIM01: SharePoint 2013 Server

To install and Configure Rights Management Service and create a cluster, refer to this article which has got the detailed information on how to do do.

To configure Information Rights Management, navigate to Central Administration > Security
Information Policy > Configure Information Rights Management


This will display three options

  • Don not use IRM on this server which is the default value
  • Use the default RMS server specified in Active Directory ( The information of this is present in AD Sites and Services)
  • Use this RMS Server ( you can specify the IRM website URL which can be load balanced using Network Load Balancer or Hardware Load Balancer)



Select use the default RMS Server specified in Active Directory or RMS Server URL

Click Ok


Regardless of whether you select 2nd or 3rd option, you will have to make sure you have given appropriate rights to ServerCertification.asmx or it won't be able to detect or accept the URL.

This can be found under the  Inetpub > wwwrot > WebsiteName > _wmcs > Certification

If your IRM is in a cluster you will have to perform the permission steps for both the files in the IIS websites which are part of your cluster.

For the demo purpose I have granted read and execute permissions to the Farm account and Everyone.




The information rights management can be applied at Library or List level. There is no option to set this up at Web Applicaiton or Site Collection or Site Level.

Though you can use Powershell command to enable IRM at Web App or Site Collection or Site Level for all Libraries or Lists but this has to be planned for what site requires IRM policies


To Enable Information Rights Management , navigate to respective document library and go to the document library settings

Under Permissions and Management, Click on Information Rights Management



This will present bunch of options based on what you need and you can perform the following

  • Create a Permission Policy and Apply it
  • Can restrict users from uploading documents
  • Can Restriction Access Polixy Expiry Date
  • Prevent Users from opening the document in the browser
  • Restrict viewers from printing
  • Restrict users from writing to a downloaded copy of the document
  • Set Access rights expiry date for a downloaded document
  • Set restriction on validating login credentials after a certian period for a downloaded document

All this needs to be planned on what you want to achieve based on your requirement to meet the compliance policy you may have in your organization. The policy definition may be a corporate policy for confidential documents defined by Information Security Officer or your business or client needs.

This is a good way of protecting the information but IRM doesn't provide any encryption or decryption of the document based on encoded keys.

10 comments:

  1. Spot on with this write-up, I honestly believe that this site needs much more attention.

    I'll probably be back again to read through more, thanks
    for the information!3

    ReplyDelete
  2. Appreciating the time and energy you put into your website and in depth information you
    provide. It's good to come across a blog every once in a while that isn't
    the same outdated rehashed material. Wonderful read! I've bookmarked your site and I'm including your RSS
    feeds to my Google account.

    Here is my homepage ... bingo på nätet

    ReplyDelete
  3. Is this the same if you are using Azure RMS? I have an Azure RMS connector machine with the same _wmcs structure in IIS and have set all the permissions, but still get a password prompt even after adding the everyone group to the permissions. When enabling IRM in Sharepoint Admin I get the "The required Active Directory Rights Management Service Client (MSIPC.DLL) is present but could not be configured properly. IRM will not work until the client is configured properly."

    ReplyDelete
    Replies
    1. Fixed this by authorizing the service accounts as well as the SharePoint 2013 host in the Azure AD Connector Admin tool. Then also removing an old AD record for AD RMS that was tested at one point in this environment. After removing the entry with ADSIedit, then replicated to all DCs, the IRM could be enabled at the server level, when we pointed it at the connector machine.

      Delete
  4. I still have the problem in my lab
    "The required Active Directory Rights Management Service Client (MSIPC.DLL) is present but could not be configured properly. IRM will not work until the client is configured properly"

    ReplyDelete
  5. Why do we need RX permissions for EVERYONE.

    ReplyDelete
  6. All works perfectly.. but when i check "do not allow users to upload documents that do not support IRM" and i try to upload a .docx or .xls document it fails. What i´m missing here? locally i can assign the protect template to the documents, but i want that when the user upload any office document into the IRM enable library in sharepoint inmediatly take the protection.

    ReplyDelete
  7. Really enjoyed reading your post, big thanks to you for sharing such great information. Active Directory Management Services

    ReplyDelete
  8. I can actually agree with you on that, that technology is the main thing in almost all sectors. There is no sector that technology is not applied, and therefore i can agree with you that there is nothing but technology. We are experts in Designing Logo for Companies, does your own company need one? You can reach us at any given time, just check the link and get more information.

    ReplyDelete
  9. BlueHost is ultimately one of the best website hosting company with plans for all of your hosting requirements.

    ReplyDelete