Prerequisite Steps:

  1. Make sure the user you are using to configure SharePoint has an email attribute in AD.  Also make sure the SharePoint service account has an email attribute.
  2. Verify that RMS is functional outside of SharePoint by going into Microsoft Word under  file\info\protect document\Restrict Permission by People\Restricted Access.  If this fails, troubleshoot RMS.
  3. Check the SharePoint Central Administration\Manage Profile Service: User  Profile Service  Application
    You should see Number of User Profiles at a high number to indicate it synchronized.
    If it failed to synchronize.  Go into
    Application Management\Manage Services on Server\User Profile Synchronization service (make sure it's started)
  4. Application Management\User Profile Service Application (Click it)
    Configure Synchronization Connections
    Create a New Connection (if there isn't one)
    Go back and Start Profile Synchronization (Start Full Synchronization)

To add your SharePoint Server to the AD RMS Certification Pipeline

  1. Log on to ADRMS server as an Administrator.
  2. Click Start, and then click Computer.
  3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.
  4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.
  5. Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then click OK two times.
  6. Click Edit, and then click Add.
  7. Click Object Types, select the Computers check box, and then click OK.
  8. Type YourSharePointServerName, and then click OK. (note: If your SharePoint service/application pool is a domain account you can, and should give it rights here as well. If you have multiple application pools, you might need to add them if they require RMS support)
  9. Click OK to close the ServerCertification.asmx Properties sheet.
    By default the Read & execute and the Read permissions are configured for the SharePoint server computer account object and all other accounts inherited from the parent folder. (make sure to set Allow Inheritable Permissions on ServerCertification.asmx).
    It's good practice to specifically give the SharePoint Application Pool accounts these rights as well.

10.  Click Start, and then click Command Prompt.

11.  Type iisreset, and then press ENTER.

Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can communicate with it, you must configure SharePoint Server to use the AD RMS cluster:

To enable Information Rights Management in Office SharePoint Server

  1. Log on to your SharePoint server as an administrator.
  2. Click Start, point to Administrative Tools, and then click SharePoint Central Administration.
  3. Click Operations, and then click Information Rights Management.
  4. Select the Use the default RMS server specified in Active Directory option, and then click OK. NOTE: If you don't use the default RMS server, you must specify the servername preceded by HTTP:// or HTTPS:// in the "Use this RMS Server" option.

See Also