Integrating AD RMS and SharePoint Server 2007

Applies To: Windows Server 2008, Windows Server 2008 R2

One of the most important new capabilities in AD RMS is integration with Microsoft Office SharePoint Server 2007. Although users have always been able to store IRM-protected documents in SharePoint, the protection capabilities are embedded in the document and not in the storage media. As a result, if you use IRM-protected documents together with SharePoint, there would be a loss of functionality in the SharePoint server. This occurs because protected documents cannot be tagged or indexed while the document contents are encrypted and so they are unavailable to the service. This is no longer the case with AD RMS and Office SharePoint Server 2007, however, because the Office Protector component in Office SharePoint Server 2007 allows for the automatic application of user-specific IRM policies to documents that the user downloads from Office SharePoint Server libraries.

With Office SharePoint Server, IRM protection is available for files that are located in document libraries and stored as attachments to list items. SharePoint site administrators can elect to protect downloads from a document library with IRM. When a user attempts to download a file from the library, Office SharePoint Server verifies that the user has permissions to the given file and issues a use license that allows access to the file with the appropriate permissions. Office SharePoint Server then downloads the file to the user's computer in an encrypted, rights-managed file format.

IRM is enabled at the SharePoint document-library level by an administrator, and protection includes the following options:

  • Whether or not users can print documents that are rights managed.

  • Whether the user can run Microsoft Visual Basic for Applications (VBA) and other custom code in the file.

  • The number of days for which the license is valid; after the specified number of days, the license expires and the user must download the file again from the document library.

  • Whether to let users upload file types that do not support IRM.

  • Optionally, the date to stop restricting permissions to the document library; after the specified date passes, Office SharePoint Server removes all rights-management restrictions from the documents in the library.

When a SharePoint administrator enables IRM for a list or library, Office SharePoint Server can protect any file type in that list or library for which a protector is installed on all front-end Web servers. A protector is a program that controls the encryption and decryption of rights-managed files of a specific file format.

Office SharePoint Server 2007 includes protectors for the following file types:

  • Microsoft Office InfoPath 2007 forms

  • The 97-2003 file formats for Microsoft Word, Microsoft Excel, and Microsoft PowerPoint

  • The Office Open XML formats for Microsoft Office Word 2007, Microsoft Office Excel 2007, and Microsoft Office PowerPoint 2007

  • The XML Paper Specification (XPS) format

The ability to protect different file types depends on the availability of protectors for those file types. If an organization plans to use AD RMS to protect other file types in addition to those listed above, the server administrator should check for the availability of protectors from the applications’ manufacturers or from third parties who provide AD RMS–based solutions. If they exist, those protectors must be installed on the SharePoint server.

When IRM is enabled for a library, rights management applies to all files in that library. When it is enabled for a list, rights management applies only to files that are attached to list items, not the list items themselves.

Office SharePoint Server uses the access control list (ACL) on the library to determine the permissions that it applies to a document for the user downloading it. That is, if a user has access to a library, when Office SharePoint Server delivers documents from the library, it attaches to the document the permissions that are assigned to the user for all of the documents in the library.

The following describes a typical document flow in Office SharePoint Server with AD RMS protection:

  1. A content author (the document publisher) posts a Microsoft Office document to a SharePoint document library that has AD RMS protection enabled.

  2. Office SharePoint Server stores the document in the SharePoint database unencrypted and unprotected to enable searching and indexing of documents in the database.

Important

If the user used IRM or another means to encrypt the document before uploading it to the database, the encryption is not removed when the document is stored in the database. Consequently, the document cannot be searched or indexed while in the database. Unless there is a need for additional protection beyond what is provided by Office SharePoint Server with AD RMS protection, documents should not be IRM protected or otherwise encrypted before being uploaded to the SharePoint document library or list.

  1. Another user (the document consumer) with permission to access to the documents in the library requests the document from the SharePoint server.

  2. The server retrieves the document from the database.

  3. The server attaches permissions to the document based on the permissions assigned to the user for the documents in the library.

  4. The protected document is sent to the user. The user opens it by using the Office application with the help of the AD RMS Client. The Office application enforces the rights defined by the policy.

When users download files in an IRM-enabled list or library, the files are encrypted so that only authorized people can view them. Each rights-managed file also contains an issuance license that imposes restrictions on the users who view the file. Typical restrictions include making a file read-only, preventing a user from copying document contents, preventing a user from saving a local copy, and preventing users from printing the document. Client programs that can read IRM-supported file types use the issuance license within the rights-managed file to enforce these restrictions. This is how a rights-managed file retains its protection even after it is downloaded from the server.

The whole process is transparent to both the user who uploads a document to the list or library and the user who downloads the document from the list or library. It does not require them to take extra steps to protect or access the document, and yet the documents are always protected according to the policies defined for the library.

The types of restrictions that are applied to a file when it is downloaded from a list or library are based on the individual user’s permissions on the SharePoint site that contains the file. The following table explains how the permissions on Office SharePoint Server 2007 sites correspond to IRM permissions.

Office SharePoint Server 2007 permissions IRM permissions

Manage Permissions, Manage Web Site

Full control (as defined by the client program): This permission generally allows a user to Read, Edit, Copy, Save, and modify permissions of rights-managed content.

Edit Items, Manage Lists, Add and Customize Pages

Edit, Copy, and Save: A user can print a file only if the Allow users to print documents check box is selected on the Information Rights Management Settings page for the list or library.

View Items

Read: A user can read the document but cannot copy or modify its content. A user can print only if the Allow users to print documents check box is selected on the Information Rights Management Settings page for the list or library.

Other

No other permissions correspond directly to IRM permissions

File Storage in Microsoft Office SharePoint Server

Because companies often have restrictions that require their files to be stored in unencrypted formats, Office SharePoint Server does not store files in rights-protected (encrypted) file formats. However, Office SharePoint Server calls an IRM protector to convert the stored file to an encrypted format each time a user downloads the file. Similarly, when a user returns a file that had been checked out of an IRM-protected library, Office SharePoint Server calls the appropriate IRM protector to convert the document to an unencrypted format before storing it. As a result, it is not necessary to create custom solutions to enable searching or archiving of document libraries where IRM is enabled. Storing the files in unencrypted format ensures that the current Search indexing service is able to crawl content stored on the servers.

Most companies that use SharePoint also use its search capabilities extensively, and combining this discoverability with the ability for the platform to keep the documents protected after delivery to the users is an excellent solution to deliver flexible access to information without compromising confidentiality or privacy. With Office SharePoint Server, search results are scoped to user permissions, so the user never sees search results that include content to which they do not have access.

Configuring Office SharePoint Server to Work with AD RMS

This section provides the details of the design requirements to successfully integrate AD RMS with Office SharePoint Server IRM and explains how to integrate Office SharePoint Server with AD RMS. Upon completion of this section, you will have a working AD RMS infrastructure integrated with Office SharePoint Server 2007.

The test environment used in this section includes five computers:

Computer Name Operating System Applications and Services

CPANDL-DC

Windows Server® 2003 with Service Pack 2

Active Directory, Domain Name System (DNS)

ADRMS-SRV

Windows Server® 2008

AD RMS, Internet Information Services (IIS) 7.0, and Message Queuing

ADRMS-DB

Windows Server 2003 with SP2

Microsoft SQL Server™ 2005 with Service Pack 2 (SP2)

SPS-SRV

Windows Server 2008

Office SharePoint Server 2007 with Service Pack 1

ADRMS-CLNT

Windows Vista®

Microsoft Office Word 2007 Enterprise Edition

To integrate Office SharePoint Server 2007 with AD RMS, you must perform the following steps:

  • Add permissions for the Office SharePoint Server 2007 administration and application service identities to the AD RMS certification pipeline

  • Enable IRM in Office SharePoint Server 2007

  • Use AD RMS to control access to the contents of a document library

Adding permissions for the SharePoint administration and Web application service identities to the AD RMS Certification Pipeline

If you are following recommended SharePoint deployment practices, to use IRM in Office SharePoint Server, you must add permissions for any IIS application pool identities used by SharePoint Central Administration as well as the current MOSS web application as well as the AD RMS Service Group to the AD RMS cluster server certification pipeline. To do so, each of these objects will require Read & Execute permissions on the ServerCertification.asmx file.

Important

By default, the ACL that protects the AD RMS cluster server certification pipeline is configured to allow only the local System account. You must add the appropriate permissions for these service account identities in order for Office SharePoint Server to integrate with AD RMS.

To add IIS application pool identities and the AD RMS server service group to the AD RMS certification pipeline

  1. Log on to the AD RMS server (ADRMS-SRV) as a local administrator.

  2. Click Start, and then click Computer.

  3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.

  4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.

  5. Click Advanced, click Change Permissions, select the Include inheritable permissions from this object's parent check box, and then click OK two times.

  6. Click Edit, and then click Add.

  7. Click Object Types, select the Users check box, and then click OK.

  8. Type the name of the user identity for the IIS application pool associated with SharePoint Central Administration (such as "MOSS Farm Account"), and then click OK.

  9. Repeat steps 6-8 and for step 8 type the name of the user identity for the IIS application pool associated with your MOSS web application (such as "MOSS SSP Application Identity"), and then click OK.

  10. Repeat steps 6-8 and for step 8 type the name of the AD RMS server service group (ADRMS-SRV\AD RMS Service Group), and then click OK twice.

  11. Click OK to close the ServerCertification.asmx Properties sheet. By default the Read & Execute and the Read permissions are configured for the service user account objects, the AD RMS server service group and all other accounts inherited from the parents of these objects.

  12. Click Start, right-click Command Prompt, click Run as administrator, and then click Continue. Type iisreset, and then press ENTER.

Enabling IRM in Office SharePoint Server 2007

After configuring the AD RMS cluster certification pipeline so that the Office SharePoint Server 2007 server can communicate with it, you must configure Office SharePoint Server 2007 to use the AD RMS cluster by enabling IRM.

To enable Information Rights Management in Office SharePoint Server 2007

  1. Log on to the SharePoint server (SPS-SRV) as a portal administrator.

  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  3. Click Operations, and then click Information Rights Management.

  4. Select Use the default RMS server specified in Active Directory or type the URL of AD RMS server (https://adrms-srv.cpandl.com), and then click OK.

Using AD RMS to Control Access to the Contents of a Document Library

The final step in configuring Office SharePoint Server to work with AD RMS is to assign an Office SharePoint Server 2007 permission policy to a document library. For the purposes of this demonstration, this permission policy will restrict the ability to print any documents that are uploaded to the document library.

To assign a permission policy to a document library

  1. Log on to the SharePoint server (SPS-SRV) as a site administrator.

  2. Click Start, point to All Programs, and then click Internet Explorer.

  3. Type the URL of SharePoint server (https://SPS-SRV) in the address bar, and then click Go.

  4. Click Document Center, click Documents, click Settings, and then click Document Library Settings.

  5. Under Permissions and Management, click Information Rights Management.

  6. Select the Restrict permission to documents in this library on download check box.

  7. In the Permissions policy title box, type CP&L Protected.

  8. In the Permission policy description box, type Restrict CP&L employees from printing, and then click OK.

Office SharePoint Server 2007 will now automatically apply AD RMS rights to the document when it is downloaded from the SharePoint document library. These rights are determined by the Office SharePoint Server 2007 group membership for that site. For example, a user who is in the Visitors Office SharePoint Server 2007 group will not be able to modify the document when it is downloaded from the document library.

Verifying Office SharePoint Server IRM Functionality

You can test AD RMS and Office SharePoint Server 2007 functionality by performing these tasks:

  1. Create a Microsoft Office Word 2007 document on a computer in the cpandl.com domain and then upload this document to the SharePoint document library.

  2. Have an authorized user in the cpandl.com domain open and work with the document.

Creating and Uploading a Document

This procedure must be performed on a computer that belongs to the cpandl.com domain and that has Microsoft Office Word 2007 installed.

To create and upload the document to the document library

  1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.

  2. In the new document, type This document is read-only, and you cannot print it.

  3. In the new document, click the Microsoft Office Button, click Save As, click Word Document, and then save the file as ADRMS-TEST.docx.

Note

The author of the document will have full rights to the document, regardless of the AD RMS rights that are applied to it.

  1. Close Microsoft Office Word 2007.

  2. Click Start, point to All Programs, and then click Internet Explorer.

  3. Type the URL of SharePoint server (https://SPS-SRV/) in the address bar, and then click Go.

  4. Click Document Center, and then click Documents.

  5. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TEST.docx, and then click Open.

  6. Click OK to upload the file, and then click Check In.

    When the document is uploaded into this library, it receives the restrictions set on the library.

Downloading and Opening the Document

This procedure must be performed on a computer that belongs to the cpandl.com domain and that has Microsoft Office Word 2007 installed. The user who performs this procedure must log on with an account in the cpandl.com domain that is different from the account used to create and upload the document to the SharePoint document library.

Tow download and open the document in the document library

  1. Log on to a client computer (ADRMS-CLNT) as another domain user.

  2. Click Start, click All Programs, and then click Internet Explorer.

  3. Type the URL of the SharePoint server (https://SPS-SRV/) in the address bar, and then click Go.

  4. Click Document Center, and then click Documents.

  5. Click ADRMS-TEST, and then click OK.

  6. When the following message appears, click OK: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/\_wmcs/licensing to verify your credentials and download your permission."

  7. When the following message appears, click OK in the full screen reading view message, and then click Close to close the full screen reading view: "Verifying your credentials for opening content with restricted permissions".

  8. Click the Microsoft Office button. Note that the Print command is disabled.