Ilse Van Criekinge's Weblog

Addicted to Microsoft Unified Communications

Configuring AD RMS and Exchange 2010 Sp1 Beta

Configuring AD RMS and Exchange 2010 Sp1 Beta

  • Comments 2
  • Likes

With the release of Exchange 2010 Sp1 Beta, I was eager to find out what has changed when it boils down to the integration between Exchange 2010 and Active Directory Rights Management Server.

As stated on The Microsoft Exchange Team Blog, in their “Yes Virginia, there is an Exchange Server 2010 SP1” blog post, there are at least two new IRM-related features:

  • Web-Ready Document Viewing of IRM-protected documents
  • smoother IRM support in EAS, enabling you to send and receive IRM-protected mail without having previously connected your device to Windows Mobile Device Center to provision IRM

Eager to find out, time to configure an Exchange 2010 Sp1 Beta (Single Forest) environment for IRM :-)

Step 1. Deploy IRM

I’ve chosen to deploy the Rights Management Server role on a Windows 2008 R2 member server in my environment.

Pic0588

Step 2. Configure Exchange 2010 Sp1 Beta

After deploying the RMS role, nothing will work, until you configure Exchange. A very useful Exchange Management Shell cmdlet that is available for you to test your progress is Test-IRMConfiguration! Before doing any configuration this is the output:

Pic0589

As can be seen in the output, Exchange is able to retrieve by using the Service Connection Point, the URL it has to use to connect to the RMS server…

Pic0124

but that Exchange is unable to acquire a server box RAC (Rights Account Certificate), with an error status of 401: Unauthorized.

Step 2.1  Grant the necessary permissions on the certification pipeline

As described here: http://technet.microsoft.com/en-us/library/ee849850(WS.10).aspx

By default, only the local system account has permission to access the Active Directory Rights Management Services (AD RMS) server certification pipeline (ServerCertification.asmx). IRM features in Exchange 2010 require that Exchange servers and the AD RMS Services Group be granted permissions to read and execute this file on all servers in the AD RMS cluster

Pic0590

 

Pic0591

Pic0592

Check the solution, by running Test-IRMConfiguration again :-)

Pic0593

Overall Result now is = PASS with warnings on disabled features.

Looking at the error message, it is clear what needs to be done, namely “Please make sure that the account “FederatedEmail….” representing Exchange Servers Group is granted Super User privileges on the Active Directory Rights Management Services server”

Looking at the same URL provided above, it is defined as the third step to configure Exchange 2010 and RTM:

Give Exchange servers the ability to decrypt protected messages and attachments by configuring the AD RMS super users group. The AD RMS super user group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. To configure the super users group for Exchange 2010, you add the Federated Delivery Mailbox user account to a group in the same forest as the AD RMS installation and then enable the super users group on the AD RMS cluster.

Step 2.2 Configuration of AD RMS Super Users group

First, let’s create a mail-enabled universal distribution or universal security group, and add the given FederatedEmail* user as a member.

Pic0594

 

Then, enable the Super Users group feature using the AD RMS management tool:

Pic0595

In the Actions pane, select Enable Super Users….

 Pic0596

Then in the Middle Pane, you can select Change super user group…

 Pic0597

Browse to find the just create RMS_Super_Users universal distribution group…

 Pic0598

And it’s done :-)

 Pic0599

THIS MIGHT TAKE ABOUT 24 HOURS BEFORE TAKING EFFECT!!!!! (source = http://technet.microsoft.com/en-us/library/cc720274(WS.10).aspx)

Step 2.3. Enable Internal Licensing

Another step you need to take is, to enable Internal Licensing…

Pic0601

 Pic0602

 Pic0603

Step 2.4. Check if IRM is enabled for the OWA Virtual Directory!

 Pic0605

Step 3. Check one new feature…Web-Ready Document Viewing of IRM-protected documents

Using OWA I’ll send an email to user1, protect it using the built-in RMS template Do Not Forward, and attach a PowerPoint deck to my mail.

 Pic0606

 Pic0607

 Pic0608

And it works :-) Open as Web Page is available :-)

 Pic0692

Ilse

Comments
  • Beat me too it, I was actually starting to setup RM two nights ago but go side track, had planned to blog about it, but this was still helpful since I haven't started setting up the exchange portion.

  • Very cool to see you got this working!  We've added some other fun supportability features in SP1 which will make it easier to diagnose issues.  Stay tuned for a blog post on it.

    -- Ed Banti

    Exchange PM for IRM Integration

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment