Monday 19 August 2013

Configuring Information Rights Management in SharePoint 2013

In this article, we will go through the steps of configuring Information Rights Management in SharePoint 2013.

I'm using Active Directory Rights Management Service which is in a cluster for the SharePoint 2013 server.

 
Overview of the demo environment I am using.
  • Contoso DC: DNS, Active Directory Domain Controller
  • Contoso IRM: Active Directory Rights Management Service A
  • Contoso CA: Active Directory Rights Management Service B
  • SQL01: Primary Replica SQL Server 2012
  • SQL02: Secondary Replica SQL Server 2012
  • SQLAAG01: Always on Availability Group 01
  • FIM01: SharePoint 2013 Server

To install and Configure Rights Management Service and create a cluster, refer to this article which has got the detailed information on how to do do.

To configure Information Rights Management, navigate to Central Administration > Security
Information Policy > Configure Information Rights Management


This will display three options

  • Don not use IRM on this server which is the default value
  • Use the default RMS server specified in Active Directory ( The information of this is present in AD Sites and Services)
  • Use this RMS Server ( you can specify the IRM website URL which can be load balanced using Network Load Balancer or Hardware Load Balancer)



Select use the default RMS Server specified in Active Directory or RMS Server URL

Click Ok


Regardless of whether you select 2nd or 3rd option, you will have to make sure you have given appropriate rights to ServerCertification.asmx or it won't be able to detect or accept the URL.

This can be found under the  Inetpub > wwwrot > WebsiteName > _wmcs > Certification

If your IRM is in a cluster you will have to perform the permission steps for both the files in the IIS websites which are part of your cluster.

For the demo purpose I have granted read and execute permissions to the Farm account and Everyone.




The information rights management can be applied at Library or List level. There is no option to set this up at Web Applicaiton or Site Collection or Site Level.

Though you can use Powershell command to enable IRM at Web App or Site Collection or Site Level for all Libraries or Lists but this has to be planned for what site requires IRM policies


To Enable Information Rights Management , navigate to respective document library and go to the document library settings

Under Permissions and Management, Click on Information Rights Management



This will present bunch of options based on what you need and you can perform the following

  • Create a Permission Policy and Apply it
  • Can restrict users from uploading documents
  • Can Restriction Access Polixy Expiry Date
  • Prevent Users from opening the document in the browser
  • Restrict viewers from printing
  • Restrict users from writing to a downloaded copy of the document
  • Set Access rights expiry date for a downloaded document
  • Set restriction on validating login credentials after a certian period for a downloaded document

All this needs to be planned on what you want to achieve based on your requirement to meet the compliance policy you may have in your organization. The policy definition may be a corporate policy for confidential documents defined by Information Security Officer or your business or client needs.

This is a good way of protecting the information but IRM doesn't provide any encryption or decryption of the document based on encoded keys.
Posted by at 20 comments:

Sunday 11 August 2013

Installing and Configuring Active Directory Rights Management Service in a Cluster on Windows Server 2012

In this article, I will cover the installation and configuration of Active Directory Information Rights Management Service as a cluster on Windows Server 2012 with databases on SQL Server Always on Group on SQL Server 2012.

This is a prep work for configuring the Information Rights Management for SharePoint 2013 which I will cover later.

Overview of the demo environment I am using.

  • Contoso DC: DNS, Active Directory Domain Controller
  • Contoso IRM: Active Directory Rights Management Service A
  • Contoso CA: Active Directory Rights Management Service B
  • SQL01: Primary Replica SQL Server 2012
  • SQL02: Secondary Replica SQL Server 2012
  • SQLAAG01: Always on Availability Group 01
  • FIM01: SharePoint 2013 Server



Installation and Configuration of AD RMS on the First Server and configuring the Cluster:

I will start with the 
  • Installation of Active Directory Rights Management Service on the first server i.e ContosoIRM
  • Configuriation of the Additional Steps and creating the cluster

Launch the Server Manager , Click on Add Roles and Features




Click on Next


Click on Next 

Select the Server, Click Next 


Select Active Directory Rights Management Services, Click Next


 Click Next 


Click Next 


Select AD RMS  , Click Next 


Click Install to Start the Installation Process.


Installation may consume around 15 minutes or less


Installation Complete, Click on Close


In the Server Manager, Click on the Falg to Perform the Additional Configuration 


Click on Next

Select Create a new AD RMS root cluster, Click Next


In this scenerio , I am using Always on Availability Group, Click on Specify a Database Server and a Database Instance

I have specified the AAG name  and Selectthe Database Instance

Click Next


Specify the Service Account that has access to the Database Server


 I have gone with the Cryptographic Mode 2 option, click Next


Its good to have a centrally managed key storage but depending upon the required select what you need 


Specify the Cluster Key Password, this will be used while joining the AD RMS Server B in the cluster


Select the Web Site , I have already named the website as ContosoIRM

You can pre-configure the website with DNS Host entry


I will go with http instead of https though the screenshot is for https 


Name the server Licensor Certificate 

This is an important step to register the SCP , I will register it via the configuration wizard. If you have already attempted to install AD RMS on the same server, you will have to delete the RMS from AD Sites and Services to install it again


Click Install to Configure it. Note if you use https the databases will have 443 in the suffix of the database names. 

Click Install to proceed


This may consume again upto 15 minutes


Installation Complete


Now log off and log in back

Launch the Active Directory Rights Management Services  from the metro menu


Here we go the Cluster is configured


Following 3 databases have been created in Always On Group primary replica, I will add the the databases in AAG group later. As I am using http all databases have 80 in the suffix.



 2) Installation and Configuration of AD RMS on Server B i.e. ContosoCA

Launch the Server Manager
Install the Active Directory Rights Management Services as covered above.
Once installed, Click on the Flag in Server Manager to perform Additional Configuration Steps , I will cover the steps from here.

Click on Perform Additional Configuration
 


This launches the Configuration Wizard for AD RMS, Click Next


Select Join an existing AD RMS Cluster, Click Next


Specify the Database Server Name , in my case Iwill provide the Always on Availabilty Group name click on Select 
Select Default Instance from the List

It should pick up the Configuration Database name, if not click on the drop down to select the Config database name

 Click Next


Specify the same Cluster Key which was used while creating the Cluster i.e. centrally managed key

Click Next

Specify the database service account by clicking on Specify 


Now that I have specified the Service Account details , Click Next


Select the website, you can pre-configuring by creating a blank website with fqdn and bindings. This is important if you want to load balance the AD RMS website.

 You can do this by using Microsoft NLB for POC purpose but in real world you would want to use Hardware Load Balancer like F5 or Barracuda to achieve load balancer I won't get into the details of this here as there are good articles which cover the same somewhere else.

In this scenario I'm selecting the default website I created, Click Next.



Click on Install to start the Installation and Configuration


The installation is complete now


Log off and Log in Back, Launch AD RMS






The installation and  configuration of the AD RMS is completed and we created the cluster as well all on Windows 2012 and databases highly available on SQL Server 2012 Always on Group.

There is more to AD RMS i.e. Trust Policies , User Execution, Security policies, policy templates etc. This article is just to illustrate the installation of AD RMS and configuration of the cluster for demo purpose. For more information please refer to the relevant tech net article.

I will configure AD RMS for SharePoint 2013 ad will cover this in some other article.



Posted by at 9 comments:
Subscribe to: Posts (Atom)