In Part 1 we walked through installing the RMS Connector services to light-up on-premises services for RMS.

In Part 2 we walked through setting up the RMS Connector for Exchange 2010/2013

In Part 3 we walked through setting up the RMS Connector for File Servers

The RMS connector supports a handful of additional scenarios and services:

  • For Exchange 2013: Client access servers and mailbox servers
  • For Exchange 2010: Client access servers and hub transport servers
  • For SharePoint: Front-end SharePoint webservers, including those hosting the Central Administration server
  • For File Classification Infrastructure: Windows Server computers that have installed File Resource Manager

This configuration requires registry settings. To do this, you have two options:

Configuration option Advantages Disadvantages
Automatically by using the server configuration tool for Microsoft RMS connector No direct editing of the registry. This is automated for you by using a script.

No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL.

The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally.

When you run the tool, you must make a connection to a server that is already running the RMS connector.
Manually by editing the registry No connectivity to a server running the RMS connector is required. More administrative overheads that are error-prone.

You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command.

You must always make all the prerequisites checks yourself.

NOTE: In both cases you’ll need to manually install pre-requisites

I’d definitely recommend the automation option versus the manual option here.

First, go ahead and grab the PowerShell script you downloaded earlier, or grab it directly from here

You can either deploy the script through a local install, Configuration Manager or Group Policy.

SharePoint 2010/2013

In order to configure RMS for SharePoint, you’ll need to install it on the respective SharePoint server roles:

  • Front-end SharePoint webservers, including those hosting the Central Administration server

A SharePoint 2013 server must also be running a version of the MSIPC client 2.1 that is supported with the RMS connector. To make sure that you have a supported version, download the latest client here.


There are multiple versions of the MSIPC 2.1 client, so make sure that you have version 1.0.2004.0 or later.

You can verify the client version by checking the version number of MSIPC.dll, which is located in \Program Files\Active Directory Rights Management Services Client 2.1. The properties dialog box shows the version number of the MSIPC 2.1 client.

These servers running SharePoint 2010 must have installed a version of the MSDRM client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008, and the minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

We’ve already gone ahead and added our SharePoint server to the RMS connector like we did previously for the other servers.

NOTE: For servers that run SharePoint:

  • If a SharePoint 2010 server is configured to run as Local System (it’s not using a service account), manually create a security group in Active Directory Domain Services, and add the computer name object for the server in this configuration to this group.
  • If a SharePoint server is configured to use a service account (the recommended practice for SharePoint 2010 and the only option for SharePoint 2013), do the following:
    • Add the service account that runs the SharePoint Central Administration service to enable SharePoint to be configured from its administrator console.
    • Add the account that is configured for the SharePoint App Pool.

If these two accounts are different, consider creating a single group that contains both accounts to minimize the administrative overheads.

You may have to first update MSIPC (AD RMS Client 2.1) components, which you can grab from here

You can run the following command, inserting the name of your RMS server in place below

.\GenConnectorConfig.ps1 -ConnectorUri -SetSharePoint2013

Now go to your Central Administration portal > Security to enable IRM

Choose Configure IRM and input the name of your RMS Connector server.

NOTE: You need to add the SharePoint Central Admin service account to the RMS connect if not defined prior

Now let’s go over to our TestRMS site collection and configure IRM for the site Document list or Document library

Let’s look at the Library Settings

And choose IRM

Let’s configure the IRM policy.

NOTE: RMS is only applied to a document when it is downloaded, NOT at rest

Now let’s drop an unprotected document into the library

Now let’s test by downloading that document

You can see that the document is now protected!

.\GenConnectorConfig.ps1 -ConnectorUri -SetSharePoint2013

Leave a Reply

Your email address will not be published. Required fields are marked *