Wednesday, 10 April 2013

Exchange 2013 IRM Configuration

These are the initial steps to configure AD RMS to support Information Rights Management in Exchange 2013 which I've collected here as TechNet has this information but it is spread over multiple articles.


Exchange 2013 is installed and operational (the steps will also work with Exchange 2010)
AD RMS is already configured and a valid certificate is installed on that server which includes the FQDN used in the Certification and Publishing URIs.  The AD RMS server is running Windows Server 2012 but Windows 2008 R2 is also supported.


1. Create a distribution group with the Federation mailbox as its only member
 New-DistributionGroup AdRmsSuperUsers  
 Add-DistributionGroupMember AdRmsSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042  

2. Enable Super Users in AD RMS
2.1 In Active Directory Rights Management Services console, expand the AD RMS cluster.
2.2 Expand Security Policies then click Super Users.
2.3 Click Enable Super Users in the action pane
2.4 Click Change Super User Group
2.5 Type the email address of the AdRmsSuperUsers distribution group or click Browse to search for it.

3. Add Permissions to the AD RMS Server Certification Pipeline File
On the AD RMS server change the security of ServerCertification.asmx, located by default in C:\inetpub\wwwroot\_wmcs\certification\.  Both the Exchange Servers and AD RMS Service Group groups need Read & execute permissions to this file.

The default permissions are System:Full Control so these steps will be required:  On the Security Tab | Advanced | Continue | Add | Select a principal | Exchange Servers | OK.  Do the same for the AD RMS Service Group.

4. Enable Internal Licensing

Finally run this command in the Exchange Management Shell to enable IRM Internal Licensing:
 Set-IRMConfiguration -InternalLicensingEnabled $True  


Run this command in the Exchange Management Shell:
 Test-IRMConfiguration -Sender  

If successful the output will look like this:
Now in Outlook you will see Set Permissions as an option when composing a mail.  This is what is displayed in OWA after the "Do not forward" permission is set on a new message:

More information on IRM can be found here: Information Rights Management in Exchange 2013

1 comment:

  1. Hi Steve, I have this scenario:
    DC01 - Windows Server 2012 (full updated) + CA (ENT ROOT)
    RMS1 - Windows Server 2012 (full updated) - ADRMS
    SQL1 - Windows Server 2012 + SQL 2012 (RTM)
    EXC13 - Windows Server 2012 + Exchange 2013 CU2

    I can set-IRMconfiguration but when I try to test-irm I got the following error

    I gave the right permissions for Exchange server and AD RMS Server Group at c:\inetpub\wwwroot\_wmcs\certification\servercertification.asmx
    I can access from Exchange server the RMS urls without asking for user prompt
    I exported the AD RMS self signed certificate from AD RMS server and Imported it into Exchange server (at trust certificate root)
    and the "END of inner exception..." is just after the "System.unauthorizedAccessException" that let me to see the permission at c:\inetpub\wwwroot\_wmcs\certification\servercertification.asmx file as you can see here

    What can I do to solve it?