If you would like to read the other parts in this article series please go to
Windows Rights Management Services (also known as Rights Management Services, Active Directory Rights Management Services or simply RMS) is a form of Information Rights Management used on Microsoft Windows that uses encryption and a form of selective functionality denial in order to limit access to information, such as e-mails or Word documents for example, and enforce what operations authorized users can perform on them.
Users can use this technology to encrypt information stored in such document formats, and through policies embedded in these, prevent the protected content from being decrypted except by specified people or groups, under certain conditions, and even for certain periods of time. Specific operations such as printing, copying, editing, forwarding and deleting can be allowed or disallowed by the author.
Rights Management Server first debuted in 2005 as an add-on to Windows Server 2003, with client API libraries made available for Windows XP and Windows 2000. With Windows Server 2008, it was renamed to Active Directory Rights Management Services [ADRMS], reflecting its higher level of integration with AD.
The next big “upgrade” was in July 2013 when Microsoft released a preview of Azure Rights Management which allows organizations to protect their data in Office 365. Azure RMS is included with E3, E4, A3 and A4 plans at no additional cost, or it can be purchased as a standalone subscription.
For organizations that are in the process of migrating to Office 365 there is a feature called RMS connector that enables protected content to work with an organization’s online services as well as on-premises servers.
Overview of Rights Management connector
RMS connector lets administrators enable existing on-premises servers, such as Exchange, SharePoint or even file servers running Windows Server to use their Information Rights Management [IRM] functionality with the cloud-based RMS. With this functionality, IT and users can easily protect information both inside and outside the organization, without having to install additional infrastructure or establish trust relationships with other organizations.
The RMS connector is a small-footprint service that is installed on-premises on servers that run Windows Server 2008 R2, 2012 or 2012 R2. After installed and configured, it acts as a communications interface (a relay) between the on-premises IRM-enabled servers and the cloud service:
Figure 1.1: RMS Connector Overview
At the time of writing this article, the RMS connector supports the following products:
- Exchange Server 2013 (what we will use for this article);
- Exchange Server 2010;
- SharePoint Server 2013;
- SharePoint Server 2010;
- File servers running Windows Server 2012 or 2012 R2 and that use File Classification Infrastructure [FCI] to classify and apply policies to documents in a folder.
Next in this article-series we will go through the following steps:
- Installing RMS Connector;
- Configuring RMS Connector;
- Configuring Exchange 2013 to use the RMS Connector;
- Protecting information.
Installing RMS Connector
Before we can install the RMS connector, we must first ensure we meet its prerequisites:
- Create an Office 365 tenant or a Microsoft RMS tenant:
- Sign up for an Office 365 Enterprise tenant (remember this is available in E3, E4, A3 and A4 plans at no additional cost) and enable Rights Management:
- Create an Office 365 tenant if you do not already have one;
- Log in to https://portal.microsoftonline.com;
- Go to service settings, and click rights management:
Figure 1.2: Office 365 Rights Management Pane
- Click Manage:
Figure 1.3: Office 365 Rights Management
- Click activate:
Figure 1.4: Activating Office 365 Rights Management
- Click activate again:
Figure 1.5: Confirming Office 365 Rights Management Activation
- Alternatively, you can sign up for Microsoft RMS stand-alone:
Note that if you already have an Azure AD tenant that you created for other purposes, you can add that account by selecting the Add an existing account option during the sign-up process.
- Next we need to enable directory synchronization between our Active Directory [AD] forest and Azure Active Directory. After RMS is enabled, Azure AD must be configured to work with the users and groups in our on-premises AD. Although we can use Office 365 with accounts we manually created in Azure AD (cloud identity), when we use RMS with the RMS connector, the accounts in Azure AD must be synchronized with Active Directory Domain Services.
- Optionally, we can enable federation between our on-premises AD and Azure AD. This enables a more seamless user experience by using Single Sign-On [SSO] to the RMS service. Without SSO, users are prompted for their credentials before they can use rights-protected content. Note, however, that some configurations do require federation to be enabled. For example, access to SharePoint 2013 protected libraries from Office 2013 clients requires federation.
Now that we have completed all the above prerequisites, we are ready to install the RMS connector in our environment. The server where we plan to install the connector must meet the following criteria:
- A 64-bit physical or virtual computer running Windows Server 2008 R2, 2012 or 2012 R2;
- At least 1 GB of RAM;
- A minimum of 64 GB of disk space;
- At least one network interface;
- Access to the Internet via a firewall (or web proxy) that does not require authentication;
- Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that we want to use with the RMS connector with.
There should be a single RMS connector (possibly consisting of multiple servers for high availability) per Azure RMS tenant. Unlike ADRMS, we do not have to install an RMS connector in each forest.
Next, we need to download the source files for the RMS connector from the Microsoft Download Center. In this link you will find three files:
Figure 1.6: Rights Management Connector Downloads
To install the RMS connector, the RMSConnectorSetup.exe is what we require, but download all of them as we will use them as well. The RMSConnectorAdminToolSetup_x86.exe file allows us to configure the connector from a 32-bit computer, and GenConnectorConfig.ps1 is the server configuration tool for the RMS connector that automates the configuration of registry settings on Exchange and SharePoint servers.
To start the installation, we simply run RMSConnectorSetup.exe with Administrator privileges.
On the welcome screen, ensure that Install Microsoft Rights Management connector on this computer is selected (note that using this executable we can also install the 64-bit version of the admin tools):
Figure 1.7: Rights Management Connector – Welcome Screen
Tick the I accept the terms in the License Agreement and click Next:
Figure 1.8: Rights Management Connector – License Agreement
Enter the credentials for an account that has sufficient privileges to configure the RMS connector. Here we can use an account that has one of the following privileges:
- Office 365 Tenant Administrator: an account with administrator privileges on our Office 365 tenant;
- Microsoft RMS Tenant Global Administrator: an account with administrator privileges on the Microsoft RMS tenant;
- Microsoft RMS connector Administrator: an account in Azure Active Directory that has been granted rights to install and administer the RMS connector for the organization.
If you want to use the Microsoft RMS connector Administrator account, you must first do the following to assign the RMS connector administrator role:
- On the same computer, download and install the Azure AD Rights Management Administration Tool, which contains the Azure Rights Management administration module for PowerShell;
- Start PowerShell with administrative rights and connect to the Azure RMS service by running:
- Then run one of the following cmdlets:
Add-AadrmRoleBasedAdministrator -EmailAddress <email address> -Role “GlobalAdministrator”
Add-AadrmRoleBasedAdministrator -ObjectId <object id> -Role “ConnectorAdministrator”
Add-AadrmRoleBasedAdministrator -SecurityGroupDisplayName <group Name> -Role “ConnectorAdministrator”
Add-AadrmRoleBasedAdministrator -EmailAddress email@example.com -Role “GlobalAdministrator”
To simplify things I am going to use the first option and enter the credentials for my tenant’s admin account:
Figure 1.9: Rights Management Connector – Credentials
Once the credentials are validated, click Install to start the installation process:
Figure 1.10: Rights Management Connector – Installation Confirmation
At this stage, all prerequisite software is validated and installed, Internet Information Services [IIS] is installed if not already present, and the connector software is installed and configured. In addition, RMS is prepared for configuration by creating the following:
- An empty table of servers that are authorized to use the connector to communicate with RMS (we will add our Exchange servers to this table later);
- A set of authorization certificates that are downloaded from RMS and installed on the local computer. The computer stores these certificates in the registry and protects them by using the Data Protection Application Programming Interface [DPAPI] by using the Local System account credentials.
On the final page of the wizard, do the following, and then click Finish:
- If this is the first connector that you have installed, and you are installing more than one for High Availability [HA], do not select Launch connector administrator console to authorize servers at this time. You will select this option after you have installed your second (or final) RMS connector. Instead, run the wizard again on at least one other computer. You must install a minimum of two connectors in order to achieve HA.
- If this is your final connector, select Launch connector administrator console to authorize servers.
Figure 1.11: Rights Management Connector – Installation Complete
At this point, there is a verification test that we can perform to test whether the web services for the RMS connector are operational. From a web browser, connect to http://<connector_address>/_wmcs/certification/servercertification.asmx, replacing <connector_address> with the server’s name, FQDN or IP address that has the RMS connector installed. A successful connection displays a ServerCertificationWebService page:
Figure 1.12: Rights Management Connector Verification Test
In the first article of this article series, we introduced the new RMS connector. We saw its purpose, its requisites and we went through its installation. In the next article, we will start configuring it.
If you would like to read the other parts in this article series please go to