Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2. www.thales-esecurity.com



Similar documents
ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

ncipher Modules Integration Guide for Apache HTTP Server

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Integration Guide Microsoft Internet Information Services (IIS) 7.5 Windows Server 2008 R2

nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Active Directory Rights Management Service Integration Guide

Thales Database Security Option Pack. for Microsoft SQL Server Integration Guide.

AD RMS Step-by-Step Guide

Thales nshield HSM. Integration Guide for ISC BIND DNSSEC.

Microsoft AD CS and OCSP Integration Guide. Microsoft Windows Server 2008 R2

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Microsoft AD CS and OCSP

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

Installing and Configuring vcloud Connector

Secure IIS Web Server with SSL

Check Point FDE integration with Digipass Key devices

Symantec AntiVirus Corporate Edition Patch Update

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Setting Up SSL on IIS6 for MEGA Advisor

Wavecrest Certificate

Microsoft Windows Server 2003 Integration Guide

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Microsoft IIS Integration Guide

XenClient Enterprise Synchronizer Installation Guide

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

SolarWinds Migrating SolarWinds NPM Technical Reference

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

NSi Mobile Installation Guide. Version 6.2

etoken Enterprise For: SSL SSL with etoken

VERITAS Backup Exec TM 10.0 for Windows Servers

Installing and Configuring vcloud Connector

Sophos Anti-Virus for NetApp Storage Systems startup guide

RSA Security Analytics

DameWare Server. Administrator Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Installing and Configuring vcenter Multi-Hypervisor Manager

Universal Management Service 2015

Symantec Managed PKI. Integration Guide for ActiveSync

Dell Statistica Statistica Enterprise Installation Instructions

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

RealPresence Platform Director

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Deploying System Center 2012 R2 Configuration Manager

CA NetQoS Performance Center

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

DIGIPASS CertiID. Getting Started 3.1.0

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

ACTIVE DIRECTORY DEPLOYMENT

Managing Multi-Hypervisor Environments with vcenter Server

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

DriveLock Quick Start Guide

Enterprise Vault Installing and Configuring

WhatsUp Gold v16.2 Installation and Configuration Guide

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

4cast Client Specification and Installation

Installing Management Applications on VNX for File

Sage 200 Web Time & Expenses Guide

HOTPin Integration Guide: DirectAccess

Version 5.0. SurfControl Web Filter for Citrix Installation Guide for Service Pack 2

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

AIMS Installation and Licensing Guide

By the Citrix Publications Department. Citrix Systems, Inc.

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Acronis Backup & Recovery 11.5 Quick Start Guide

Budget Developer Install Manual 2.5

Integrated Citrix Servers

Installation Guide Supplement

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

PrivateServer HSM Integration with Microsoft IIS

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

How To Install Outlook Addin On A 32 Bit Computer

Worry-Free TM Remote Manager

Windows Server Update Services 3.0 SP2 Step By Step Guide

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

Thales e-security Key Isolation for Enterprises and Managed Service Providers

Installation and Configuration Guide

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

RSA Authentication Manager 7.1 Basic Exercises

Generating an Apple Push Notification Service Certificate

For Active Directory Installation Guide

Getting Started with. Ascent Capture Internet Server Revision A

Reconfiguring VMware vsphere Update Manager

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

Getting Started Guide

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Transcription:

Thales nshield HSM ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 www.thales-esecurity.com

Version: 1.0 Date: 11 June 2012 Copyright 2012 Thales e-security Limited. All rights reserved. Copyright in this document is the property of Thales e-security Limited. It is not to be reproduced, modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of Thales e-security Limited neither shall it be used otherwise than for the purpose for which it is supplied. CodeSafe, KeySafe, ncipher, nfast, nforce, nshield, payshield, and Ultrasign are registered trademarks of Thales e-security Limited. CipherTools, CryptoStor, CryptoStor Tape, keyauthority, KeyVault, ncore, nethsm, nfast Ultra, nforce Ultra, nshield Connect, ntoken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-security Limited. All other trademarks are the property of the respective trademark holders. Information in this document is subject to change without notice. Thales e-security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material. These installation instructions are intended to provide step-by-step instructions for installing Thales software with third-party software. These instructions do not cover all situations and are intended as a supplement to the documentation provided with Thales products. Disclaimer: Thales e-security Limited disclaims all liabilities regarding third-party products and only provides warranties and liabilities with its own products as addressed in the Terms and Conditions for Sale. Version: 1.0 Date: 11 June 2012 2012 Template: nshimay12 Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 2

Contents Chapter 1: Introduction 4 Supported Thales nshield functionality 5 Requirements 5 Chapter 2: Procedures 7 Install the HSM 7 Install the nshield support software and create the security world 7 Set up the infrastructure 8 Install and configure AD RMS 8 Add ADRMSADMIN to the Enterprise Admins group 8 Install Active Directory Certificate Services (Standalone root CA) 9 Create a new alias (CNAME) 9 Install and configure AD RMS as a root cluster 10 Open the Active Directory Rights Management Services console 12 Verify AD RMS functionality 12 Uninstall AD RMS 15 Unregister AD RMS Service Connection Point (SCP) 15 Chapter 3: Troubleshooting 16 Addresses 17 Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 3

Chapter 1: Introduction This guide explains how to integrate Active Directory Rights Management Services (AD RMS) with Thales nshield Hardware Security Module (HSM). We have thoroughly tested the instructions in this document. They provide a straightforward integration process. There may be other untested ways to achieve interoperability. This document may not describe every step of the software setup process. This document assumes that you have read your HSM documentation, and that you are familiar with the documentation and setup process for Active Directory Rights Management Services (AD RMS). The HSM secures the AD RMS Cluster Key generated and used by the AD RMS. You can integrate the AD RMS with an HSM by using the ncipher MSCAPI interface. The benefits of using an nshield HSM with the AD RMS are: Secure storage of the AD RMS Cluster Key. FIPS 140-2 level 3 validated hardware. Full life cycle management of the keys. Failover support. Load-balancing between modules. For more information about Active Directory Rights Management Services Overview, see the online documentation at http://technet.microsoft.com/en-us/library/cc771627.aspx. The integration between the HSM and the AD RMS has been successfully tested in the following configurations: Operating system Windows Server 2008 32 bit SP1 AD RMS version Security World Software version nshield Solo support nshield Connect support 2.0 11.50 Yes Yes Yes nshield Edge support Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 4

Supported Thales nshield functionality Operating system Windows Server 2008 64 bit SP1 Windows Server 2008 R2 64 bit SP1 AD RMS version Security World Software version nshield Solo support nshield Connect support 2.0 11.50 Yes Yes Yes 2.0 11.50 Yes Yes Yes nshield Edge support For more information about OS support, contact your Microsoft sales representative or Thales Support. For more information about contacting Thales, see Addresses at the end of this guide. Additional documentation produced to support your Thales nshield product is in the document directory of the CD-ROM or DVD-ROM for that product. Note Throughout this guide, the term HSM refers to nshield Solo modules, nethsm, and nshield Connect products. (nshield Solo products were formerly known as nshield.) Supported Thales nshield functionality You can access the following Thales nshield functionality when you integrate an HSM with the AD RMS. Soft Cards Key Management Yes FIPS 140-2 level 3 Yes Key Recovery Yes Module-only Key Yes K-of-N Card Set Load Balancing Yes Key Import Fail Over Yes Key Generation Yes Requirements Before you begin the integration process, ensure that you familiarize yourself with the documentation and setup process for the AD RMS and have access to a copy of the User Guide. You need to know the following information before you run the setup program: The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and a policy for managing these cards. Whether the application keys are protected by the module or an Operator Card Set (OCS). The number and quorum of Operator Cards in the OCS, and a policy for managing these cards. Whether the security world must comply with FIPS 140-2 Level 3. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 5

Requirements Key attributes, such as the key size, persistence, and time out. For more information on administering an nshield module, see the User Guide. Note K/N functionality is not currently supported, which means you must create a 1/N OCS. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 6

Chapter 2: Procedures The installation and configuration is performed in several steps: 1 Install the HSM. 2 Install the Security World Software and configure the nshield HSM 3 Set up the infrastructure. 4 Install and configuring AD RMS. 5 Verify AD RMS functionality. 6 Uninstall AD RMS. Install the HSM Install the HSM using the instructions in the Quick Start Guide for the HSM. We recommend that you install the HSM before configuring nshield support software. Install the nshield support software and create the security world To install the nshield support Software and create the security world: 1 Install the latest version of the nshield support software as described in the User Guide. Note We recommend that you always uninstall any existing nshield support software before installing the new nshield support software. 2 Initialize a security world using MSCAPI wizard with module protection or 1/N OCS without passphrase as key protection method. Note Do not select the option Always use the wizard when creating or importing keys option while creating security world. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 7

Set up the infrastructure Set up the infrastructure To prepare your AD RMS test environment in the NCIPHER domain, you must complete the following tasks: 1 Configure the domain controller on NCIPHER-DC. 2 Configure the AD RMS database computer on RMS-DB. 3 Configure the AD RMS root cluster computer on RMS-SRV. 4 Configure the AD RMS client computer on RMS-CLNT. For more information about setting up the infrastructure, see the online documentation at http://technet.microsoft.com/en-us/library/cc772140.aspx. Install and configure AD RMS Service Manager handles the installation and configuration of AD RMS. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. These step-by-step instructions explain how to install and configure a single-server AD RMS root cluster. Registering the AD RMS service connection point (SCP) requires that the installing user account is a member of the Active Directory Enterprise Admins group. Add ADRMSADMIN to the Enterprise Admins group To add ADRMSADMIN to the Enterprise Admins group: 1 Log on to NCIPHER-DC with the ncipher\administrator account (or another user account in the Domain Admins group). 2 From the Start menu, select Administrative Tools > Active Directory Users and Computers. 3 In the console tree, expand ncipher.com, right-click Users and select New > User. 4 Enter the first name and full name adrmsadmin and then click Next. 5 Enter the password for user, click Next and then click Finish. 6 Right-click adrmsadmin and go to Properties. 7 Enter the email address adrmsadmin@ncipher.com and click OK. 8 Double-click Enterprise Admins. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 8

Install and configure AD RMS 9 Click the Members tab, and then click Add. 10 Type adrmsadmin@ncipher.com, and then click OK. Install Active Directory Certificate Services (Standalone root CA) To install Active Directory Certificate Services: 1 Log on to RMS-SRV as ncipher\adrmsadmin. 2 From the Start menu, select Administrative Tools > Server Manager. 3 If the User Account Control dialog box appears, confirm that the action it displays is correct, and click Continue. 4 In the Roles Summary box, click Add Roles. 5 The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next. 6 On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next. Follow the online instructions to complete the installation. Create a new alias (CNAME) To create a new alias: 1 Log on to NCIPHER-DC as ncipher\administrator. 2 Open DNS Manager from Programs > Administrative Tools > DNS. 3 Expand Forward Lookup Zones, and right-click ncipher.com. 4 Select New Alias, and enter the alias name as rmsncp. 5 In Fully qualified domain name (FQDN) for the target host field, browse to the RMS-SRV machine. 6 Click OK. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 9

Install and configure AD RMS Install and configure AD RMS as a root cluster To add the AD RMS Server Role: 1 Log on to RMS-SRV as ncipher\adrmsadmin. 2 From the Start menu, select Administrative Tools > Server Manager. 3 If the User Account Control dialog box appears, confirm that the action it displays is correct, and click Continue. 4 In the Roles Summary box, click Add Roles. 5 The Add Roles Wizard is displayed. Read the Before You Begin section, and click Next. 6 On the Select Server Roles page, select the Active Directory Rights Management Services check box. The Role Services page appears informing you of the AD RMS dependent role services and features. 7 On the Feature page, ensure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next. 8 Read the AD RMS introduction page, and then click Next. 9 On the Select Role Services page, ensure you have selected the Active Directory Rights Management Server check box, and click Next. 10 Select the Create a new AD RMS cluster option, and then click Next. 11 Select the Use a different database server option. 12 Click Select, type RMS-DB in the Select Computer dialog box, and then click OK. 13 In Database Instance, click Default, and then click Validate. 14 Click Next. 15 Click Specify, type ncipher\adrmssrvc, type the password for the account, click OK, and then click Next. 16 Ensure that the Use CSP key storage option is selected, and then click Next. 17 On the Specify AD RMS Cluster key page, select ncipher Enhanced Cryptographic service provider from the menu, and then click Next. 18 Select the web site where AD RMS is to be installed, and then click Next. In an installation that uses default settings, the only available web site should be Default Web Site. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 10

Install and configure AD RMS 19 Select the Use an SSL-encrypted connection (https://) option. 20 In the Fully-Qualified Domain Name box, type rmsncp.ncipher.com, and then click Validate. If validation succeeds, the Next button becomes available. 21 Click Next. Note Ensure Fully Qualified Domain Name and CNAME are the same. 22 Select the Choose a certificate for SSL encryption later option, and then click Next. 23 Type rmsncp in the Friendly Name field, and then click Next. 24 Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation. 25 Read the Introduction to Web Server (IIS) page, and then click Next. 26 Keep the Web server default check box selections, and then click Next. 27 Click Install to provision AD RMS on the computer. When the process is complete, click Close. 28 Open the IIS Manager. From the Start menu, select Program Files > Administrative Tools > Internet Information Service Manager. 29 Click the IIS Server. 30 Double-click the Server Certificates icon. 31 On the right-hand side of the IIS Manager window, click the Create Certificate Request link. 32 Fill out the certificate properties page. In the common name field, enter the same name that you entered for server licensor certificate (rmsncp), and click Next. 33 On the Cryptographic Service Provider Properties page, select Microsoft RSA SChannel Cryptographic Provider from the menu, and then click Next. Note Because of a certificate licensing issue, you cannot use ncipher CSPs for requesting certificates. 34 Enter the certificate request file name, and click Finish. 35 Send the certificate request to Microsoft CA (http://rms-srv.ncipher.com/certsrv), and get the certificate. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 11

Install and configure AD RMS 36 On the right-hand side of the IIS Manager window, click the Complete Certificate Request link. 37 Show the path of the signed certificate, enter the Friendly name (ensure this is the same as the server licensor certificatename), and click OK. 38 On the left-hand side of the IIS Manager window under Sites, click Default website. 39 On the right-hand side of the IIS Manager window, click the Bindings link. 40 In Site Bindings, click Add. 41 Select the protocol as HTTPS, and select the certificates from the menu. 42 Click OK to complete the certificate binding for SSL connection. 43 Click Restart to restart the IIS server. 44 Log off from the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS. The AD RMS root cluster is now installed and configured. Open the Active Directory Rights Management Services console 1 From the Start menu, select Program Files > Administrative Tools > Active Directory Rights Management Services. 2 If the User Account Control dialog box appears, confirm that the action it displays is correct, and click Continue. Verify AD RMS functionality The AD RMS client is included in the default installation of Windows Vista and Windows Server 2008. Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone. Add the AD RMS cluster URL to the Local Intranet security zone for all users who are to consume rights-protected content. Add AD RMS cluster to the Local Intranet security zone 1 Log on to RMS-CLNT as user_fin (ncipher\user_fin). Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 12

Install and configure AD RMS 2 From the Start menu, select All Programs > Internet Explorer. 3 Select Tools > Internet Options. 4 Click the Security tab, click Local intranet, and then click Sites. 5 Click Advanced. 6 In the Add this website to the zone field, enter https://rmsncp.ncipher.com, and then click Add. 7 Click Close. 8 Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng (ncipher\user_eng). Add Microsoft Root certificate to the trusted store 1 Download Microsoft CA root certificate. 2 Open Microsoft Management Console. 3 Select File > Add/Remove Snap-in > Add. 4 Select Certificates > Add > My User Account > Finish. 5 Select Add Standalone Snap-in. 6 Click OK. 7 Expand Certificates > Current-User, then expand Third-Party Root Certification Authorities. 8 Right-click Certificates > All Tasks > Import. The Certificate Import Wizard opens. 9 Click Next to display the path of the Microsoft CA root certificate. 10 Click Next. 11 Keep the default selection, and click Next. 12 Click Finish. 13 Repeat the preceding steps for user_mar (ncipher\user_mar) and user_eng (ncipher\user_eng). Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 13

Install and configure AD RMS Restrict permissions on a Microsoft Word document To verify the functionality of the AD RMS deployment, you log on as user_fin, and then restrict permissions on a Microsoft Word 2007 document so that user_mar can read the document but cannot change, print, or copy it. You then log on as user_mar, and verify that the proper permission to read the document has been granted, but no permissions to change, print, or copy it have been granted. 1 Log on to RMS-CLNT as user_fin (ncipher\user_fin). 2 From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007. 3 On the blank document page, type user_mar can read this document, but cannot change, print, or copy it. 4 Click the Microsoft Office Button, then select Prepare > Restrict Permission > Restricted Access. 5 Select the Restrict permission to this document checkbox. 6 In the Read box, type user_mar@ncipher.com, and then click OK to close the Permission dialog box. 7 Click the Microsoft Office Button, click Save As, and then save the file as \\RMS- DB\Public\RMS-TST.docx. 8 Log off as user_fin. View a rights-protected document 1 Log on to RMS-CLNT as user_mar (ncipher\user_mar). 2 From the Start menu, select All Programs > Microsoft Office > Microsoft Office Word 2007. 3 Click the Microsoft Office Button, and then click Open. 4 In the File name box, type \\RMS-DB\Public\RMS-TST.docx, and then click Open. The following message appears: Permission to this document is currently restricted. Microsoft Office must connect to https://rmsncp.ncipher.com:443/_wmcs/licensing to verify your credentials and download your permission. 5 Click OK. The following message appears: Verifying your credentials for opening content with restricted permissions. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 14

Install and configure AD RMS 6 When the document opens, click the Microsoft Office Button. Notice that the Print option is not available. 7 Close Microsoft Word. 8 Log off as user_mar. You have successfully installed and demonstrated the functionality of AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2007 document. Uninstall AD RMS 1 Open Server Manager. 2 Click Roles > Remove Roles. The Remove Roles Wizard opens. 3 Click Next. 4 Deselect Active Directory Rights Management Services, and click Next. 5 When the wizard prompts you, reboot the machine. Unregister AD RMS Service Connection Point (SCP) To unregister AD RMS SCP: 1 Download the RMS SP2 Administration Toolkit from http://www.microsoft.com/downloads/details.aspx?familyid=bae62cfc-d5a7-46d2-9063- 0f6885c26b98&displaylang=en. 2 Install the RMS SP2 Administration Toolkit. 3 Open a command prompt, and navigate to the C:\Program Files\RMS SP2 Administration Toolkit\ADScpRegister folder. 4 Run the command: ADScpRegister.exe unregisterscp Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 15

Chapter 3: Troubleshooting Problem While installing AD RMS, you see the error: Attempt to configure Active Directory Rights Management Server failed. Fail to generate enrolee certificate public key. While installing AD RMS, you see the error: Attempt to configure Active Directory Rights Management Server failed. The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again. While installing AD RMS, you see the error: Attempt to configure Active Directory Rights Management Server failed. Provisioning of AD RMS timed out without any specific error. Remove and re-install AD RMS to attempt provisioning again. When the recipient tries to open the restricted document, they see the error in RMS Client machine (Microsoft VISTA, SP1): This Service is temporarily unavailable. Microsoft Internet Explorer may be set to Work offline. In Internet Explorer, verify that Work Offline on the File menu is not selected, and try again. Resolution Ensure Microsoft SQL Server 2005 is working properly, or reboot the ADRMS-DB machine. Unregister ADRMS Service Connection Point (SCP) using RMS SP2 Administration Toolkit, and install again. Recreate security world by unselecting the Always use the wizard when creating or importing keys option, and reinstall AD RMS. Note Ensure the key protection method is neither Softcard nor K- of-n cardset protection, because AD RMS does not support these methods. Import the Microsoft CA root certificate into the Third-Party Root Certification Authorities store of My User Account, and try again. Thales nshield HSM: ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2 16

Addresses Americas 2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA Tel: +1 888 744 4976 or + 1 954 888 6200 sales@thalesesec.com Europe, Middle East, Africa Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK Tel: + 44 (0)1844 201800 emea.sales@thales-esecurity.com Asia Pacific Units 4101, 41/F. 248 Queen s Road East, Wanchai, Hong Kong, PRC Tel: + 852 2815 8633 asia.sales@thales-esecurity.com Internet addresses Web site: Support: Online documentation: International sales offices: www.thales-esecurity.com www.thales-esecurity.com/en/support.aspx www.thales-esecurity.com/resources.aspx www.thales-esecurity.com/en/company/contact%20us.aspx

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information