Tag Archives: AD RMS

Active Directory Right Management Service (AD RMS) – Part 04 – AD RMS Configuration

So far in this series we learn what is RMS and how it works. You can access those using,

Part 01 What is AD RMS ?

Part 02AD RMS Components

Part 03How AD RMS Works ?

This is the last part of the series and in here I am going to demonstrate how to install and configure AD RMS. 

Setup AD RMS Root Cluster

AD RMS only can install in Domain Member Server. I have a demo server setup and its already member server of the domain. First AD RMS server add to the forest creates the AD RMS cluster. 

Install AD RMS Role

1) Log in to the server as Enterprise Administrator. 

2) Install the AD RMS role and related management tools using, 

Install-WindowsFeature ADRMS -IncludeManagementTools


Configure AD RMS Role

1) Launch Server Manager > Notifications > Under “Configuration required for Active Directory Rights Management Services” > Perform Additional Configuration. This will open the AD RMS Configuration Wizard. Click Next to start the configuration. 


2) In next screen, it gives option to create new AD RMS root cluster or join it to existing AD RMS cluster. Since it is new cluster, select option Create a new AD RMS root cluster and click Next.  

3) Next Screen is to define the AD RMS database configuration. If it’s going to use MS SQL server need to specify the Database server and the instance. Or else it can use Windows Internal Database. Please note if WID used, it cannot have any more AD RMS servers and cannot have AD RMS mobile extension either. Since its demo, I am going to use WID. Once selection made, click Next to move to next step. 


4) In Next window, we need to define service account. It is used to communicate with other services and computers. This doesn’t need to have Domain or Enterprise Admin rights. Click on Specify and provide the user name and password for the account. Then click Next to Proceed to next window. 


5) In next windows, we need to select the Cryptographic mode. This defines the strength of the hashes. This is support two mode which is SHA-1 and SHA-256. It is highly recommended to use Mode 2 which is SHA-256 for stronger hashing. However, this need to be match with the other RMS cluster it deals with. In our setup, I am going to use default SHA-256. Once Selection is made click next to proceed. 


6) AD RMS uses cluster key to sign the certificate and licenses it issues. This is also required when AD RMS restore or when new AD RMS server add to the same cluster. It can be saved in two places. Default method is to use AD RMS centrally managed key storage. So, it doesn’t need any additional configurations. It also supports to use cryptographic service provider (CSP) as storage. But this required manual distribution of key when add another AD RMS server to the cluster. In this we will use option “Use AD RMS centrally managed key storage”. Once selection is made click Next to proceed. 

7) AD RMS also uses Password to encrypt the cluster key described in above. This is required to provide when add another AD RMS server to cluster or when restore AD RMS from backup. This key is cannot reset. There for recommended to keep it recorded in secure place. Once define the AD RMS Cluster Key Password, click Next to proceed. 

8) In next window, we need to define the IIS virtual directory for the AD RMS web site. Unless there is specific requirement always use the default and click Next. 


9) In next step, we need to define a AD RMS cluster URL. This will use by AD RMS clients to communicate with AD RMS cluster. It is highly recommended to use SSL for this even its allow to use it with HTTP only method. The related DNS records and Firewall rules need to be adjusted in order to provide connection between AD RMS clients and this URL (Internally or Externally). Once configuration values provided, click Next to proceed. One thing need to noted is, once this URL is specified, it cannot be change. In this demo, the RMS URL is https://rms.rebeladmin.com. 


10) In next step, we need to define Server Authentication Certificate. This certificate will use to encrypt the network traffic between RMS clients and AD RMS cluster. For testing it can use self-signed certificate but not recommended for production. If its uses internal CA, client computers should be aware of the root certificate. In wizard, it automatically takes the list of SSL certificates installed in the Computer and we can select the certificate from there. It also allowed to configure this setting in later time. Once settings are defined, click Next to proceed. 


11) In next window, it asks to provide Name for the Server License Certificate (SLC). This certificate is to define the identity of the AD RMS cluster and it used in the Data protection process between clients to encrypt/decrypt symmetric keys. Once defined a meaningful name, click Next to proceed. 

12) Last step of the configuration is to register AD RMS connection service point (SCP) with the AD DS. If needed this can configure later too. This need enterprise administrator privileges to register it with AD DS. In this demo, I already logged as enterprise administrator so I am using “Register the SCP now”. Once option selected, click Next


13) After the confirmation, installation will begin and wait for the result. If it’s all successful, log off and log back in the AD RMS server. 

14) Once log back in, Go to Server Manager > Tools > Active Directory Rights Management Service to access the AD RMS cluster.


Test Protecting Data using AD RMS Cluster

Next step of the demo is to test the AD RMS cluster by protecting data. For that I am using two user accounts. 


Email Address








Email account filed is must and if user doesn’t have email address defined, it will not be allowed to protect the document. 

The end user computers must have added https://rms.rebeladmin.com to the Internet Explorer, Local Intranet’s trusted site lists. This can be done via GPO. If it’s not added, when go to protect the document, users will get following error,


In this demo as user Peter going to create protected document using Word 2013. The recipient will only be user Adam and he will only have read permission. 

To Protect the Document

1) Log in to the Windows 10 (Domain member) computer as user Peter

2) Open word 2013 and type some text

3) Then Go to File > Protect Document > Restrict Access > Connect to Digital Rights Management Servers and get templates 


4) Once its successfully retrieves the templates, go back to same option and select Restricted Access


5) Then it will open up new window. On there for the read permissions, type adam@rebeladmin.com to provide read only permission to user adam. Then click OK.  


6) After that save the document. In demo, I used a network share which user adam also have access. 

7) Now I log in to another window 10 computers as user adam. 

8) Then brows to path where document was saved and open it using word 2013. 

9) On the opening process, it asks to authenticate to the RMS to retrieve the licenses. After that it open the document. In top of the document it says document got limited access. When click on the “View Permission” it list down the allowed permissions and it matches what we set in the author side. 


10) Further in to testing I have log in to system as another user (Liam) and when I access the file I gets, 


This ends the configuration and testing of the AD RMS cluster. In this demo, I explained how we can set up AD RMS cluster with minimum resource and configuration. I only used the default configuration of AD RMS cluster and no custom policies applied. By understand core functions allows you to customize it to meet your organization requirements. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – part 03 – How AD RMS Works?

In part 01 of this series we learned RMS and its capabilities. if you didn’t read it yet, you can find it in here. In part 02 we learned about AD RMS components. You can read it using  

In part 03, I am going to explain how AD RMS works. 

By now we know the components of the AD RMS and its capabilities. In this section, we are going to look in details to understand how all these components work together to protect corporate data. 

Before start the data protecting process, we need to have healthy AD RMS Cluster, AD RMS Clients (Author and Recipient) and reliable connection between those components. Once these prerequires fulfill, Data protection process will happen in three main stages which is protect content by author, publish protected content and access protected content by recipient. Let’s assume Peter is trying to protect a document using AD RMS. He going to send it to Adam and he do not want him to edit or print it. This is the first time he going to use AD RMS. In AD RMS environment, user Peter will refer as Information Author. On his first authentication in to AD RMS cluster, it creates Right Account Certificate (RAC) and it will be user’s identity in AD RMS. This is a onetime process. This certificate contains the public key and private key of the Peter which is encrypted by his computer’s public key. When Peter register with AD RMS cluster it also creates another certificate called Client Licensor Certificate (CLC). This CLC includes Client Licensor Certificate’s public key and private key which is protected by public key of Peter. It also includes AD RMS cluster public key which is signed by AD RMS private key.

Peter decides what data need to be protected first. Then it generates symmetric key (random) and encrypt the data which needs to be protected. It uses AES-256 standards to encrypt the data. When first AD RMS server added to the cluster, it creates another certificate called Server Licensor Certificate (SLC). This represent the identity element of the AD RMS server. This is shared with clients so they can use to exchange confidential data in secure way. SLC includes the public key of the AD RMS server. As the next step the system will encrypt the symmetric key used for data encryption by using it. So, only AD RMS cluster can open it. 

After that RMS Client creates Publishing License (PL). This PL use to indicate allowed recipients, what rights they got and what condition will apply towards protected data. PL includes encrypted symmetric key that can used to decrypt the protected data. All these data then encrypt with Server Licensor Certificate’s public key. Apart from that AD RMS client also will sign encrypted data with private key of CLS. At the end this protected data will attached to PL. it also included the copy of symmetric key which is encrypted with CLS public key. This confirms Peter’s authority over the protected document, so he can decrypt the document without using another license. Once all these encryptions and signings are done, the document is ready to send over to Adam. 

Once Adam receives the document, his Ad RMS aware application try to open it and found it is a protected document. Similar to Peter, Adam already have his RAC and CLS from the AD RMS Cluster. In order to open the protected document at once does it encrypt it with does it encrypt or sign with any of Adam’s certificates? No, it’s not. But his AD RMS client knows who need to contact in order to sort it out for him. To open the protected document Adam should have a Use License (UL). This is issue by the RMS cluster. So, AD RMS client request for license also included encrypted Publishing License, Encrypted Symmetric Key, Peter’s CLC and Public key of Adam’s RAC. The protected document will not send over with this request to RMS Cluster. To decrypt the protected document Adam needs the Symmetric key which used by Peter to encrypt the document. As first step Server needs to know if Adam is permitted to access the document, if he is permitted what sort of conditions and rights will apply. This info is in Publishing License. It is encrypted using public key of SLC. AD RMS server is the private key owner for it and he can easily extract it. if Adam is not allowed in PL, it will be declined the access to it. if its allowed it creates a list mentioning Adam’s rights to the document. The most important part of the decryption process is to retrieve the Symmetric Key. This is also encrypted by SLC’s public key. Once it is extract, it will be re-encrypt using Adam’s RAC public key. it was a part of the Use License request. This ensure, the only one can see the key is Adam’s system. Since server got all the required information, it generates Use License including the permission list and encrypted symmetric key. then it sends over to Adam’s RMS client. Once it reaches Adam’s system, it can decrypt the symmetric key using RAC’s private key. then RMS aware application will decrypt the document and attach the rights information retrieved from the User License. At the end, voila!!! Adam can see the content of the document. 

In above I have talked lots about different certificates, licenses, data encryption and decryption. I thought its still better to explain it in high level to recap things we learned. 


Peter wants to send protected document to Adam. Adam should only have read permission to the document and should not be able to modify or print. 

1) This is the first-time peter going to use AD RMS. As soon as he tries to protect the document, RMS client initiate a connection to AD RMS server (cluster)

2) AD RMS Server replied with Right Account Certificate and Client Licensor Certificate. This is one time process. 

3) In Peter’s system, random symmetric key is generated and encrypt the document using it. Then this symmetric key is encrypt using SLC’s public key. After that it is attached to a Publishing License which includes Adam’s rights for the protected document. After that PL attached to encrypted document.

4) Peter sends protected document (along with this additional info) to Adam.

5) Adam’s RMS Aware application try to open it and found that it need Use License from AD RMS Server. then RMS client request it from the RMS Server.

6) RMS server decrypt the symmetric key and the PL. after that server checks if the requester match with the PL. in our scenario it matches, so it went ahead and creates Use License. This includes symmetric key (it re-encrypts using Adam’s RAC Public Key) and a list which contains rights describes in PL. Then it delivers to Adam’s system.

7) Once Adam’s system receives the Use License, it retrieves Symmetric key and decrypt the document. Then Adam open the document and use it according to rights described on PL. 

This marks the end of this blog post. In Part 04, I will demonstrate deployment of AD RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – Part 02 – AD RMS Components

In my previous blog post about AD RMS, I have explained what is RMS and its capabilities. If you didn’t read it yet, you can find it here . In this post I am going to explain about AD RMS components. 

AD RMS have its own role services and related components which need to work together in order to maintain healthy AD RMS environment. Let look in to these components in details. 

Active Directory Domain Services (AD DS) – AD RMS is one of Active Directory Role service. AD RMS can only be installed in AD DS environment and it must be on member servers. It also uses to publish service connection point (SCP), where internal users can automatically discover the URL for AD RMS environment. 

AD RMS Cluster – AD RMS Cluster is a single RMS server or group of servers which shares certificates and licensing requests from its clients. Even its says as “Cluster” it is different from typical Windows failover cluster. Failover cluster at least needed two nodes. But in RMS cluster, event it’s have single server it become a cluster. But there is one requirement for AD RMS cluster if there are multiple servers involves. AD RMS supports two types of databases similar to AD FS. By default, it uses Windows Internal Database (WID) and it also supports to Microsoft SQL Server Database. If AD RMS Cluster going to have multiple servers it must use MS SQL database in separate server. 

There are two type of clusters in AD RMS, 

Root Cluster – When setup first AD RMS server in infrastructure, it becomes root cluster. By default, it responds to both licensing and certificates requests from clients. When required, additional RMS servers can be added to the cluster. There is only one root cluster can exist on one AD DS forest. 

Licensing Cluster – If organization has multiple active directory sites, there are situation where remote sites prefers to use servers in their own site whenever possible. It prevents users by connecting sites through slow links. In such scenarios, organizations can deploy licensing-only cluster in remote sites. It only responses to licensing requests from clients. 

When new RMS server add to the infrastructure, based on installed roles it will automatically make it part of relevant cluster. However, it is recommended to use root cluster only as it will automatically load balance both certificates and licensing requests. When it has two clusters, load balancing is handled by each cluster separately even though it’s components of one system. 

Web Server – AD RMS required web service for its operations. There for it required IIS 7.0 or latest with following role services. 

Web Server (IIS)

Web Server

o Common HTTP Features

Static Content

Directory Browsing

HTTP Errors

HTTP Redirection

o Performance

Static Content Compression

o Health and Diagnostics

HTTP Logging

Logging Tools

Request Monitor


o Security

Windows Authentication

Management Tools

o IIS Management Console

o IIS 6 Management Compatibility

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

SQL Server – AD RMS supports Windows Internal Database (WID) and Microsoft SQL Server Database. If AD RMS Cluster going to have multiple servers, its database must be in MS SQL server. It supports SQL server 2005 onwards. AD RMS have three databases. 

Configuration Database – Configuration database includes configuration data related to AD RMS cluster, windows users identities and AD RMS certificate key pair which used to create cluster. 

Logging Database – This contain the logging data for the AD RMS setup. By default, it will install it in the same SQL server instance which hosts the Configuration Database.

Directory Service Database – This database maintains cached data about users, SID Values, Group membership and related identifiers. This data been collected by AD RMS licensing service from LDAP queries which ran against global catalog server. by default its refresh in every 12 hours.  

AD RMS support SQL High availability solutions including SQL failover clustering, database mirroring and log shipping. It is NOT supported SQL server AlwaysOn. 

In previous section I have mentioned about mobile device extensions which can used to extend AD RMS to manage corporate data in mobile devices. It does not support to Windows Internal Database (WID) and if you going to use this feature, Ad RMS databases must run for separate SQL server. 

AD RMS Client – AD RMS client is required to communicate with AD RMS cluster and protect data. This is included in all the recent operating systems which was released after windows XP. However, this still need to install on MAC and Mobile devices to use AD RMS. 

Active Directory Certificate Service (AD CS) – AD RMS uses several certificates to protect the communication between AD RMS components and clients. Most of those can issue using corporate trusted certificate authority. As an example, AD RMS cluster can build using SSL certificate to protect communication between servers in cluster. If AD RMS setup required to publish service URLs externally, then it will be required a certificate from public certificate authority. AD RMS itself uses various Extensible Rights Markup Language (XrML)-based certificates to protect communication between components and data. These certificates are different from AD CS certificates. 

This marks the end of this blog post. In Part 03 I will be explaining how AD RMS really works. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Right Management Service (AD RMS) – Part 01

Microsoft had taken their first approach to information rights management (IRM) by introducing Windows Right Management Service with Windows Server 2003. This was fully compliant with Federal Information Processing Standard (FIPS) 140-1. The update version of Windows Right Management was renamed as Active Directory Rights Management Services and re introduced with Windows Server 2008. It continued to grow with features and included with every new windows server versions after that. Microsoft also released Azure RMS (included in Azure Information Protection) which can use in Hybrid-Cloud environment to protect data. 

However, AD RMS is not the solution for all the Data security requirements. In an infrastructure, there is other things attached to data security. First step of the protection is to decide who have access to corporate network and resources. This fall under perimeter defense and Hardware/Software firewalls can use to define rules to manage traffic come in to corporate network and traffic goes out from corporate network. Modern Layer-7 Firewalls and Next Generation Firewalls allows not only to manage connections but go further on analysis traffic based on applications, user accounts (AD integrated). If users are allowed to use Internet, it also can bring threats to corporate data. It can be via viruses, malware, phishing emails etc. Similar threats can be eliminate using Layer 7 firewalls or Proxies. The next step on Data Protection is to controlled the data access for users and groups in the corporate network. This is done by using NTFS and Access Control Lists (ACLs). These helps to control who have access to what data and resources. The challenge is to protect data once users and groups have access to it. As an example, REBELADMIN Inc. does have Sales Department. CEO creates a word document which includes last year total sales and save it in a network folder. The only people have access to it is CEO and Sales Manager. He sent email to Sales Manager and inform about the file. Access to folder is protected by ACLs but ones Sales Manager have access to it, what will prevent him emailing it to a person in Technical Department or bring it home with him and share it with another party? Active Directory Right Management Service controls the behavior of data once users have access it. But this will not prevent data leakage via digital photographs, third-party screen capturing, hard copies or viruses and malware. 

AD RMS can,

Follow Data with Policies (Persistent Usage Rights and Conditions) –  NTFS permission and ACLs only can manage a data within its operation boundaries. In my previous example, when the report is inside the Sales folder it will only can access by CEO and Sales Manager. However, if its copied to local disk, forward as email it will bypass the NTFS permissions and ACLs. AD RMS uses Persistent usage policies which follows the data. Even its moved, forwarded, the policies will follow it. 

Prevent Confidential Emails going in to wrong hands – Emails is one of the media that commonly involves with data leakage. Constants news are coming on medias due to wrong peoples got access to “confidential” emails. Once email is left outgoing email folder, we do not have control over the data and we do not have guarantee if this is only access by the recipient and it’s not forwarded to another party that original sender not aware of. AD RMS can prevent recipient been forwarding, modifying, copying or printing confidential emails. It also guarantees, its only can open by the expected recipient.

Prevent Data been access by unauthorized peoples – Similar to emails, AD RMS can also protect confidential files, reports been modified, copied, forwarded or print by unauthorized users.

Prevent Users by capturing content using Windows Print Screen feature – Even users do not forward or copy method to send data they still can use print screen option to capture the data in another format. AD RMS can prevent users by using windows print screen tool to capture data. However, this not going to prevent users by using third-party screen capturing solutions. 

File Expiration – AD RMS allows to set time limit to files so after certain period of time, content of it will not be able to access. 

Protect Data on Mobile Devices and MAC – People uses mobile devices to access corporate services and data. AD RMS mobile extension allow to extend its data protection capabilities in to mobile devices which runs with Windows, Android or iOS. In order to do that, Device should have latest RMS clients and RMS aware apps installed as well. This also applies to MAC devices as long as it uses Office 2016 for MAC and RMS aware applications. 

Integration with Applications – AD RMS not only support Microsoft office files, its support wide range of applications and file types. As an example, AD RMS directly can integrate with Share Point (2007 onwards) to protect the documents published on intranet site. There are third party applications which support RMS too. It also supports file types such as .pdf, .jpg, .txt, .xml. This allow corporates to protects more and more data types in infrastructure. 

This marks the end of this blog post. In Part 02 I will be explaining the components of RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Identity and Access (IDA) Management Solutions

In previous article I have explain what IDA solution is and what we need to consider on implementing such a solution to business. If you didn’t read it yet you can find it on here

What is IDA Management Solutions?

IDA management solutions used to integrate, sync, manage different identities an organization uses. It can be different directories, different systems. For ex- Company ABC use Active Directory Domain Services (AD DS) to manage its users. It also have another web application hosted on linux platform which is using different identity store. Billing platform is maintaining another authentication system for customers and employers. Company XYZ its merge with using Novell eDirectory as its directory service. So IDA management solution it will help organization to integrate and maintain these different authentication systems without additional management efforts.

What are the features of IDA Management Solutions?

Multiple Authentication Systems

In an organization, there can be various authentication systems. It can be different directory services or databases. Most of the time IT professionals are used to merge these various system to one authentication system to provide Single Sign on (SSO) experience. Majority of applications, authentication systems allow to integrate them with different directory services. But some time it is important to maintain different identity stores while sync or exchange certain information among them. IDA management solutions allow to maintain multiple authentication systems while providing SSO or filtered information exchange.

Determining Authoritative Identity

As I explain before IDA management solution can integrate, synchronize and maintain identity data from multiple identity stores. When those systems works together it’s important to identify the attributes and the source of them. For ex- If “System A” requesting user information from “System B” for authentication it’s important to make sure “System A” is same source its claims to be before pass the sensitive information. There for IDA management solution will act as trusted information source which we can use for validate the information which are sync between multiple identity stores.

Authentication and Authorization

IDA solution will make sure to authenticate and authorize users based on the access control permissions or policies.

Add/Remove User accounts automation

When an organization deals with multiple identity stores it makes more work for IT staff for user account provisioning and de-provisioning. For ex- if company have 5 different systems when new use comes in IT department need to create use in all 5 systems along with appropriate ACL etc. imagine with 25 users how much of work load it will create ? Also the process can increase the possibilities for errors and it even can create security risks to entire network.
With IDA solution we can automate this user add/remove process across multiple systems. It will ensure the integrity, security, productivity compare to manual process.

Secure data exchange between companies

Due to business needs some time organizations needs to exchange access to data and resources with other companies, vendors or partners. It is not practical to force the other party to change their systems to compatible with ours. IDA management solutions allows to securely share access information to data and resources with minimum administrative efforts. It can be using domain trusts, federation services, forest trusts etc.

Secure Data Exchange

When deals with multiple systems its obvious sensitive information will share or sync between them. This communications may happens between multiple networks. IDA solutions will ensure all of the communication between different systems are secure and data exchanged between them are secured.

Safeguard sensitive data 

Let’s assume “company ABC” merge with “company XYZ”. These are interconnected using domain trust. CEO of company ABC is sending email attached with office excel file contains salary information to CEO of company XYZ. So defiantly its very sensitive data which should not access by any other person. Even though it’s secure communication what if someone else in company got access to it? IDA solution can use to make sure the confident data only access by the authorized person. As example Active Directory Right Management Services (AD RMS) can use as tool to ensure only CEO of XYZ can open that excel file and no one else.

In next article let’s look in to some of IDA tools and techniques we can use.