The AD RMS process is as follows, I installed it on the domain controller server. .
Users who install ADRMS must belong to the local group Administrators and the domain group Enterprise Admins, and when we are currently using the domain Administrators, they belong to these two groups by default. If you want to use another domain user account to log in and install ADRMS, first add this account to these two groups.
- Installation process: Server Manager---Select Add Roles and Features, and check "Active Directory Rights Management Services".
- Then in the next step, in the ADRMS Rights location, select AD Rights Management Server. Next step.
- Perform additional configuration after installation is complete
Select in the AD RMS configuration page to create a new AD RMS and cluster
- Select Specify database server and database instance.
- The following steps are introduced to install AD RMS on the OOS server (method 2)
- Add to an existing AD RMS cluster. Then in, server location select, server
- Select the computer for the object model and enter the SharePoint server name, as shown in Figure 6 below
- select database
- designated account
- Then in the next step, enter the password in the place where you specify the password
Select AD RMS cluster site
- Enter your IIS domain name into the fully qualified location.
Next step
Sign up now
- Then go to the next step until the installation
- Reboot after installation is complete
When problems are found during installation, please refer to the following operations;
https://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-guide.aspx
- After the installation is successful, the information bar on the left has the following contents.
After the installation is complete, start the configuration. When configuring, you need to specify an administrative account and create an account in AD. The RMS database can directly use the database service in SharePoint, or you can choose to use a local service. Specify an IIS address and port when configuring the address. If the domain name is bound, the DNS server needs to add resolution to the domain name. The detailed configuration process is omitted.
2. RMS and SharePoint integration
- Go to Management Center--Security--Configure Information Rights Management, as shown below:
- During configuration, you can select "Use the default RMS server specified in Active Directory", or select "Use this RMS server" to manually specify the RMS server domain name.
- In the configuration, if the following problems are found:
Locate the Certification .asmx file under the c:\inetpub\wwwroot\_wmcs\certification folder of the RMS server. Then add SharePoint application pool account or SharePoint server "read and execute" permissions.
This error message was encountered in 2010, and you can set the access permissions of the RMS WebService:
Locate the ServerCertification.asmx file under the c:\inetpub\wwwroot\_wmcs\certification folder of the RMS server.
Note: If this folder does not exist, it proves that the configuration is not successful, please reconfigure.
Then add SharePoint's application pool account (I am administrator here) and AD RMS Service Group group "read and execute" permissions.
Then Security - Advanced - Permissions - Click Enable Inheritance as shown below,
- Add the SharePoint server server name in AD RMS Service Group.
Operation steps, click Add--Object Model to select Computer, and enter the name of the sharePoint computer. Then confirm.
Security - After the permission editing is completed, as shown below;
Find the AD RMS Service Group in the AD group and add members to the SharePoint server and the SharePoint application pool account, as shown below:
After the permission configuration is complete, verify whether you have permission to view it. The other configuration methods are almost the same. I copied it from the blog garden first, and the screenshot of Janet sharePoint configuration. The trouble is configuring AD RMS and CertificationWebService authorization.
The way to test whether the permissions are configured correctly is to enter the address of the WebService, and then enter the account and password of sharepoint to see if the WebService can be displayed correctly.
The various issues with permission configuration here are excerpted below:
1. The required Windows Rights Management Client exists, but the server has denied access. IRM will not run until the server grants permission. Errors like XXXX mname$domain.com XXXX
This error is due to a permission setting problem. In AD, add the MOSS administrator (and the running account of the MOSS site application pool) to the RMS service group, and then add the RMS service group to _wmcs\certification\ServerCertification. on asmx.
Correction: In AD, add the MOSS administrator (the running account of the MOSS site application pool), and the MOSS server (yes, the machine!), to the RMS service group, and then add the RMS service group, and the MOSS server Add to _wmcs\certification\ServerCertification.asmx.
2. An error occurred during the send to download copy operation on the document: Exception from HRESULT: 0x80041056. And when the document is opened directly online, WORD is blank (it should be said to be blank blue)
This error is because the user who currently logs in to MOSS does not have the correct MAIL attribute. It may also be that the user has been imported into the SSP when the MAIL attribute is not set in the AD. Later, the AD has been set, but it has not been synchronized to the SSP.
3. When downloading the document, the download box cannot pop up for a long time, and WORD also displays a download progress bar when it is opened directly.
This is because MOSS cannot access the RMS server. Check it out. . . .
4. Open the document WORD online and it is blank
This error was encountered by a friend in the group, and was later resolved and shared. The reason is that the IIS pool uses a local account and cannot interact with RMS.
3. Document library integration
In the management interface of the document library, click "Information Rights Management",
Check "Restrict the permissions of this library when downloading", enter the title of the policy, and check the relevant configuration items.
Open the document in the Web App, the content of the document can no longer be copied, and the PDF file also directly supports this function.
Comparing the difference between the function menus before and after encryption, the "Edit Document" and "Comment" menus are gone, and the current account has editing rights to the document. I don't understand this. Do documents with IRM restrictions attached do not support online editing.
When clicking the "Download" button, the system prompts an error. Although it is not very friendly, the function has achieved the purpose of controlling the download.
In the preview window, I found that the document preview does not support IRM documents, and I can't figure out the reason for this (maybe the document preview mechanism uses a caching mechanism, which contradicts IRM permissions)
The key highlight of SharePoint 2013 SkyDrive Pro tragedy
4. Problems
- The documents mentioned above cannot be modified online, cannot be previewed, and users with editing rights cannot download copies (this is not reasonable and needs to be verified in detail), and SkyDrive Pro cannot be synchronized.
- SharePoint has always only set up IRM at the document library level, and cannot enable this feature individually by folder or file, I don't know why.
- When the document is downloaded, it will contact the RMS server to attach the relevant credential header to the document, and the document only attaches the RMS credential of the current user's authority, so that the document cannot be opened when it is forwarded to other users, and can only be downloaded from the Internet.
For example, the document is set in the document library as: User A and User B have viewing rights, but after A is downloaded, it is forwarded to B, and User B cannot open it, because when the file is downloaded, only A is appended to the file header credentials and permissions. In fact, this cannot be said to be unreasonable, it is just a matter of usage habits. If you need to forward it, please forward the link of the document in SharePoint, which is recommended by Microsoft.
5. Summary
Whether or not to enable IRM permission control in the document library needs to be considered in detail according to business needs. The main contradiction in the IT field has always been the contradiction between the increasing security requirements and the ease of use that meets the general public. The specific functional trade-offs should be careful.