How to integrate AD RMS with Exchange 2010 SP2(Part 3)

In this third part, we will configure AD RMS and Exchange 2010 server to communicate with each others. Let see how to do that:

1- This is the console of AD RMS. You can open it by accessing the administrative tools.

2- You have in this step to grant at least read and execute permission to “Exchange servers group” and the RMS service account in the “servercertification.asmx” file. You will find this file under “C:\inetpub\wwwroot\_wmcs\certification”

3- In the AD RMS console, enable the super user and specify a security distribution group that have an email address that match his name

4- In Exchange server, run the PowerShell. After that, type the following Cmdlet. Test-IRMConfiguration –Sender administrator@contoso.local

You will find only some warning with the last test. If you have have any other other errors or warning in the steps before, you have to troubleshoot them.

5- Now, we have to enable IRM for internal recipients by running the following PowerShell Cmdlet: Set-IRMConfiguration –InternalLicensingEnabled $True

6- To verify if IRM is enabled with OWA, we have to make a test with this PowerShell Cmdlet: Get-OWAVirtualDirectory |FL *RM*

All is OK. Exchange 2010 SP2 and AD RMS interact correctly with each others. In the next part, we will deploy a policy and use it with an Outlook 2010 user.

How to integrate AD RMS with Exchange 2010 SP2(Part 2)

In the part 1, we spoke about IRM. Now we will focus on the deployment process. First of all, we begin with AD RMS:

1- Add the“AD RMS” role

2- AD RMS rely on database to store its configuration, you have to choose between the Microsoft internal database or a remote SQL server instance.

3-  Specify the service account, if AD RMS is also a domain controller “Not recommended”, you have to add the account to the “domain admins group”

4- Specify the location of the AD RMS cluster key

5- Specify a strong password for the AD RMS cluster key

6- Select the website in IIS where you want to store the virtual directory of the certification

7- Specify the AD RMS cluster address, you have to specify the FQDN and don’t forget to validate it. If the name you specified is different from the server name hosting the AD RMS, you have to add a CNAME record in DNS. In fact, client will request for license from that URL.

8- Choose the certificate. This step is so important, because the certificate must contain the name provided in the previous step. In my scenario I used a self signed certificate

9- Specify the licensor certificate name

10- You have now to register the Service Connection Point (SCP) of AD RMS in Active Directory

11- Now, install

We have finished the installation of AD RMS. In the next part of this article, we will configure AD RMS and Exchange 2010 to communicate with each others.

ADRMS: The remote certificate is invalid according to the validation procedure

Trying to put in place IRM functionality to cooperate with Exchange 2010, I have to install AD RMS and test the IRM configuration with the Exchange PowerShell. Moreover, I encountered the following error:

When I added the ADRMS role, I have chosen a self signed certificate. After that, I took a look at the IIS, I found my certificate bind with the “Default Web site”. I tried this ADRMS URL, “https://dc.contoso.local/_wmcs/licensing/server.asmx” , and I got a certificate error. I guessed then that my certificate must be in the container of my “Trusted root certification authorities” and the problem is solved.

Good luck

How to integrate AD RMS with Exchange 2010 SP2(Part 1)

Exchange 2010 provides some kind of security features like TLS in order to secure the communication in a network by a mean of encryption and Email encryption by using the S/MIME to encrypt the messages.

Unfortunately, the traditional features have some limitations. Besides, the company deals with critical data that may contain business information or financial reports… And users rely on their Mailboxes to send this data to each other. So, Exchange server provide a new feature known as IRM.

What’s IRM?

Information Right Management “IRM”, apply persistent protection  to messages and attachments ( MS office or enabled IRM applications) in Exchange server. With IRM you can :

• User can’t forward, modify, print, fax, save, or cut and paste the content of a message or an attachment.
• User can’t view an IRM protected message or attachment after a specified period.
• User can’t use a windows snipping tool to copy the content of an IRM protected message.

With IRM you can’t:

• Prevent users from using a third party tools to capture screen
• Prevent users from using imaging devices to photograph an IRM protected message.
• Prevent users from remembering and then typing the content of an IRM protected message.

IRM rely on Active Directory Right Management Server, a role in windows server 2008. In the next article, we will begin the deployment of IRM and we will start by implementing AD RMS.