AD RMS - Frequently Asked Questions (FAQ)

AD RMS - Frequently Asked Questions (FAQ)

This article offers a list of common questions related to Active Directory Rights Management Service (AD RMS) and is organized by audience.

AD RMS FAQs for:

Table of Contents


Users / Information Workers

How do I configure IP Viewer for templates locations?

​IPViewer.exe depends upon AD RMS 2.1 to load templates and connect to an RMS server. With the release of AD RMS 2.0, the registries for configuring which templates to load and which RMS server to use changed. Please take a look at the AD RMS Client 2.0 Settings (http://technet.microsoft.com/library/jj159267(v=ws.10).aspx) for more information. 

Can IP Viewer be used for bulk operations?

IP Viewer is meant to be a user-driven feature and thus does not provide automation or scripting support. RMS Bulk Protection tool still works with MSDRM and because of this, won't work with O365. The Bulk Protection Tool will be the primary feature driving automated protection with O365. We are undertaking the task of updating Bulk Protection Tool with File API (adding O365 support) in the months to come

What about ad hoc policy support in IP Viewer?

Ad hoc policies are not supported currently. Please only open content protected using templates.

Can AD RMS be defeated by rolling back a local clock to within a caching period?

Applications built on MSDRM or MSIPC (e.g., Office2007/2010/15, etc) all have clock rollback protection built in.  Simply setting the clock backwards will be detected and you’ll be forced to hit the RMS server.


IT Professionals

 

 I got this message from Office trying to open a protected mail, what should I do? "This content could not be accessed using your current credentials.  Do you want to use your Microsoft account to access this content?" 

Close Office and run this command:  rd /q /s "%LOCALAPPDATA%\Microsoft\MSIPC"

Where should I post my AD RMS questions?

If you need an answer that is not covered on this page or linked to from this page, you will probably get it quickest through search.

However, if you cannot find the answer, you can post your rights management services questions to the Rights Management Service (http://social.technet.microsoft.com/Forums/en-US/rms/threads) forum. Please, be sure to search the forum before posting, to see if that question has already been answered in another thread. If you find that you've got a commonly asked question and answer, please, add it to this article.

Which blogs should I follow for AD RMS?

Where can I find the overviews for AD RMS?

Does AD RMS work on Windows Mobile devices?

Yes, see the How Do I Use AD RMS in Windows Mobile. Also look to the new AD RMS SDK 3.x release information in the developer section below.

How do I control which users can access AD RMS?

Controlling who can use access AD RMS within forests where it has been deployed can be done through two different and non-mutually exclusive approaches:

  1. Configuring clients to disable IRM UI elements in Office.

    In Office 2003 and later you can set the HKCU\Software\Microsoft\Office\X.0\Common\DRM\Disable DWORD registry value to 1 to eliminate all AD RMS integration features in Office (the X must be replaced by the Office version. For example, "11" being Office 2003, "12" for Office 2007 and "14" for Office 2010). Users with this value set will not be able to protect new content nor access protected content in any Office applications. In Office 2007 and later you can alternatively use the HKCU\Software\Microsoft\Office\X.0\Common\DRM\DisableCreation DWORD value set to 1 to disable the menu options and ribbon buttons that allow users to protect messages, while retaining the ability to consume, modify and reply to protected content as allowed by the document’s policy.

    Note   Keep in mind that if using a 32 bit version of Office on a 64 bit operating system you will need to put the aforementioned registry values under the HKCU\Software\WoW6432node registry key.

    Other RMS-enabled applications might provide similar capabilities. It is recommended to deploy these settings to the clients through GPO by creating groups for RMS-enabled and non-RMS enabled users and targeting GPOs with the appropriate values to the different users.

  2. Blocking access to AD RMS services at the server.

    By applying Access Control Lists to the Certification and Licensing URLs in the AD RMS servers you can block users from obtaining Licenses and Rights Account Certificates and thus from participating in the AD RMS environment. This option will not make the UI elements in Office disappear, and will cause users to see prompts for authentication, so whenever possible the other solution should be used.

It is not recommended to control who can access AD RMS by limiting deployment of the RMS client since this will result in poor user experience and potentially help-desk calls when the users manually install the client as instructed by the Office wizards.

In MOSS, what’s the effect of setting “users must verify their credentials every 0 days”?

It has the effect of disabling the need to verify credentials, making licenses valid indefinitely (or for as long as the user���s RAC and the content are valid). It does not set the duration of the licenses to 0 days.

What are the registry overrides I can use?

A list of valid registry overrides for the RMS client, Office applications, RMA and the XPS client can be accessed at AD RMS Settings (http://technet.microsoft.com/en-us/library/dd941629.aspx).

What are the changes in IRM/RMS registry settings for Office 2010?

For Office 2010, the AD RMS registry settings remain consistent with settings documented and used in earlier versions of AD RMS and Microsoft Office. The location in the Windows registry, however, has been changed and updated to a new location. Office registry settings for IRM in Office 2010 need to be configured under the HKCU\Software\Microsoft\Office\14.0\Common\DRM\ registry key. 32 bit versions of Office running on a 64 bit Operating System need the registry values to be put under HKCU\Software\WoW6432Node\Microsoft\Office\X.0\Common\DRM\ key.

How can I protect PDF/ZIP/RAR/other files?

For Adobe PDF formatted documents, several partners such as GigaTrust (http://www.gigatrust.com/), Secure Islands (http://www.secureislands.com/),  and Foxit Software (http://www.foxitsoftware.com/rms/) offer security suite products that implement AD RMS support for IRM on PDF files. For more information on other file formats , see AD RMS Supported Files (http://blogs.msdn.com/b/rms/archive/2010/03/12/ad-rms-supported-files.aspx).

How can I audit user access to protected content?

AD RMS logs information in the AD RMS logging database every time a license is acquired but since document protection is performed offline there are no references in the database to document names or other identifiers created when a document is protected. By extracting the GUID of the document of interest (it can be seen as clear text when opening the document in a text editor) and looking it in the logging database, you can find out which users have acquired licenses to consume the document. The document’s GUID can be found within the <WORK><OBJECT type="Microsoft Office Document"> <ID type="MS-GUID"> in the file. The GUID has to be looked up in the logging tables described in AD RMS Logging Database Tables (http://technet.microsoft.com/en-us/library/dd772686(WS.10).aspx).

What’s the support story for iPhone/iPad/Blackberry?

Our AD RMS partners provide solutions for accessing protected content on third party devices. GigaTrust in particular provides solutions for accessing protected email and documents on iPhone, iPad and BlackBerry devices.

What happens if I set the RAC validity duration to zero?

By default, a standard RAC is valid for 365 days and a temporary RAC is valid for 15 minutes. After the end of these periods, users must acquire new certificates when they attempt to acquire publishing or use licenses. The manner in which the RAC is renewed depends on the AD RMS-enabled application. In some cases, it might be transparent; in others, the user might need to actively submit a request.

In a default AD RMS configuration, the standard RAC validity period would be in effect for a 365 day lifetime. This means RAC files could be cached on user computers for up to a year. (RAC files are stored in %userprofile%\Local Settings\Application Data\Microsoft\DRM folder.) By using the AD RMS console to set a duration of zero days for the standard RAC validity period, standard caching of RAC files is effectively blocked. This necessitates maintaining online access to the AD RMS server as temporary RAC files would only remain valid for 15 minutes. This forces users computers to ask the AD RMS server for new licenses the next time they need to encrypt/decrypt content if it was not within the window where the temporary RAC was valid and in effect. Such a setting could be effective for installations where users are accessing AD RMS-enabled content from public computers such as airport kiosks or Internet cafes.

For more information, see Specify the Rights Account Certificate Validity Duration (http://technet.microsoft.com/en-us/library/cc732630.aspx).

How can I deploy AD RMS if I can’t register the SCP?

You can configure clients to activate using a specific AD RMS cluster URLs by pre-provisioning them through registry values or GPOs. The registry values to use to configure RMS clients are documented at AD RMS Settings (http://technet.microsoft.com/en-us/library/dd941629.aspx).

I’m trying to set up AD RMS, but the Setup Wizard can’t find my SQL Server. What’s wrong?

There are a couple of possible reasons as to why AD RMS Setup is not finding SQL Server. One possibility is that you might need to be specifying a non-standard TCP port for AD RMS to locate and communicate with the SQL server computer. For more information, see Specifying a nonstandard SQL port when installing AD RMS (http://blogs.msdn.com/b/rms/archive/2010/12/01/specifying-a-nonstandard-sql-port-when-installing-ad-rms.aspx).

Another possible reason for the inability to access SQL Server could be that the AD RMS service lacks Sysadmin rights on the AD RMS configuration database. When AD RMS is installed, an AD RMS configuration database is created on the database server. This database holds the configuration data for the AD RMS cluster. If the configuration database cannot be created during installation, AD RMS will not install. In order to create this database on the database server the user account that’s being used to install AD RMS needs to have permissions to create databases on the database server, which requires the Sysadmin role to be granted to this account on SQL Server. These rights can be removed after all AD RMS nodes are installed. For more information on these requirements see Event ID 193 — AD RMS Cluster Installation (http://technet.microsoft.com/en-us/library/cc726159(WS.10).aspx).

If granting these rights is not possible due to the database server being shared with other sensitive workloads, it is possible to configure AD RMS to use another temporary database and then backup and restore these databases to the final server without requiring Sysadmin rights to be granted.

Also, if a CName or other DNS alias is used to refer to the database server from AD RMS (as is highly recommended) the HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableStrictNameChecking DWORD registry value needs to be set to 1 on the database server in order for this system to recognize being invoked with the DNS alias.

How can I use licensing clusters for SharePoint?

If you want to use a licensing-only cluster to provide licenses to SharePoint you have to indicate SharePoint to use the specific AD RMS licensing URL in the SharePoint configuration UI.

To configure the AD RMS licensing URL in Microsoft Office SharePoint Server

  1. Log on to the SharePoint server as a portal administrator.
  2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
  3. Click Operations, then click Information Rights Management.
  4. Select the Use this RMS Server and then enter in the text entry field the URL of the AD RMS Licensing-Only cluster to use.

When are documents encrypted / decrypted when uploaded/downloaded from SharePoint?

When a SharePoint library is protected with AD RMS, documents will be protected with an ad-hoc policy each time a document is downloaded by a user. The policy will grant rights to the user downloading the document (and only to that user) based on the rights the user has on the SharePoint library. When a document that has been protected by SharePoint when downloaded is uploaded back to the library SharePoint will remove protection from the document before storage. For more information on how AD RMS and Microsoft Office SharePoint Server integrate together, you can review the diagram and IRM permissions table in Integrating AD RMS and SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/ee259515(WS.10).aspx) on the TechNet Library site.

What versions of Microsoft Office are supported for AD RMS?

For more information on the specific support for AD RMS within various releases of Microsoft Office, see AD RMS and Microsoft Office Deployment Considerations (http://technet.microsoft.com/en-us/library/dd772697(WS.10).aspx) on the TechNet Library site.

Can I control printing of SharePoint docs on a per-doc, per-user, per-printer basis?

Currently, there is no native support in AD RMS for controlling management of printing rights at these levels for IRM solutions that use Microsoft Office SharePoint Server. It is possible other third party AD RMS products and solutions might address some of these requirements.

Can I use dynamic or query-based distribution groups with AD RMS?

Yes, dynamic or query-based distribution groups are supported with AD RMS as long as they are mail-enabled and universal.  Although Dynamic DLs are supported, ADRMS only supports one level of nesting, Dynamic DL => User.  It does not support the following scenarios:

  • A dynamic DL is a member of another group: Group => Dynamic DL => User
  • A dynamic DL includes other group: Dynamic DL => Group => User

We’re changing everyone’s e-mail address. How can I make sure they can still open previously protected content?

You need to add each user’s original email address to the user's proxyAddresses attribute in Active Directory. AD RMS will continue to license content to users whose proxyAddresses attribute contains an address that matches a subject of rights in the document’s policy. For more information on updating the proxyAddresses attribute using Windows Script, see How Can I Add an Email Address to the proxyAddresses attribute? (http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/10/hey-scripting-guy-how-can-i-add-an-email-address-to-the-proxyaddresses-attribute.aspx) on the Scripting Guys blog site.

Does Windows XP support RMS 2048-bit keys?

No, you will have to upgrade to a more recent operating system (e.g. Windows Vista, Windows 7) to get 2048-bit key support.

Can I use secured storage location such as SmartCards or HSMs to store my AD RMS encryption keys at each client?

By design, AD RMS enables secure storage and management of its encryption keys and certificates using either a certificate service provider (CSP) or a hardware service module (HSM) installed at the server. To provide sufficient security for the enterprise while removing the need for user-level key management, this functionality was not extended to the client. With current AD RMS secure design, end users do not need to understand the details or implications of secure cryptographic storage and key management and therefore, should not be involved with choosing the appropriate location for keys.

Will Windows Azure AD Rights Management be offered as an on-premise hosted service within corporations who are wary of entrusting their private keys with Microsoft?

Windows Azure AD Rights Management is a variant of Active Directory Rights Management Services (AD RMS), which is Microsoft's on-premise offering. The multi-tenanted, scale-out, elastic-computing nature of Windows Azure AD Rights Management does not make sense with on-premise deployment. e.g.: Deploying and running the smallest scale unit of the Windows Azure AD Rights Management service would make AD RMS installation seem trivial by comparison.

Developers

AD RMS SDK 2.x / File API

What does it mean when you say that IPC_LI_APP_SPECIFIC_DATA doesn't work with templates?

In my scenario it worked fine: IpcCreateLicenseFromTemplateId(), IpcSetLicenseProperty() and IpcfEncryptFile(license created just before).

Templates are designed so that they work "by reference".

For example:

  1. admin configures a template "A" = { user1: VIEW, user2: FULL } 
  2. you protect content to template "A" 
  3. admin removes user1 from template "A" = { user2: FULL} 
  4. the content you protected in step #2 is automatically updated with the new policy 

When you use IPC_LI_APP_SPECIFIC_DATA, you're essentially creating a "from scratch" policy that won't be updated dynamically. Protection will succeed, but you've lost the template backing your policy (i.e., step #4 won’t work)

What is the rate of protection of files using the File API?

Microsoft's IP Team has yet to benchmark the rate of file protection but much of the codepath used by the File API is already in the highly scrutinized Exchange transport pipeline (which is used for protecting Office Documents).

What is the best way to retrieve information (previously stored key-value-pairs, etc.) from an encrypted file? 

If you're storing non-RMS data with the file, you're probably best off creating your own metadata and not using our APIs. 
If you're storing data that applies on a per-license basis (i.e., data that's part of the RMS policy), then you've got two options: 

  1. Use IPC_LI_APP_SPECIFIC_DATA_NO_ENCRYPTION. This is preferred where possible because you can use it with templates. This data is signed, but not encrypted.
  2. Use IPC_LI_APP_SPECIFIC_DATA. This should be used only when you *must* store policy data encrypted with the policy. It doesn't work with templates.

NEVER try and parse the XrML in your application. We'll break you every time we change the license format.

Is there a way to calculate and display the effective rights of a user before a template (security group) is applied?

Currently we handle group expansion on the RMS server side. It's a very difficult algorithm to get right, and we've got a *lot* of code for it. I would advise strenuously against trying to duplicate this code in your client. Consider this approach; effect a dummy protect followed by an IpcAccessCheck() in order to calculate the users rights. This lets you offload all of this complicated logic to the server. It won't be speedy, but it won't be any slower than doing the group expansion yourself. You'll need to set the NO_PERSIST flags when you're serializing the license. If you're using the FileAPI, the next drop will have NO_PERSIST flags for IpcfEncryptFile as well.

When will SDK 2.1 and File API be released?

The current plan is to release by early April 2013.

Is it possible to add / replace protectors?

​It is not possible to add/remove / replace protectors with File API.

How does the default language behavior work with functions that take an LCID parameter?

Use 0 for the default locale. In this case, Active Directory Rights Management Services Client 2.0 looks up names and descriptions in the following sequence and retrieves the first available one: 1. User preferred LCID. 2. System locale LCID. 3. The first available language specified in the Rights Management Server (RMS) template. If no name and description can be retrieved, an error is returned. There can be only one name and description for a specific LCID. 

The license buffer returned from SerializeLicense in this case appears to be a Unicode string, is that due to the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag?

The AD RMS 2.0 SDK normally uses UTF-8 for the serialized licenses it returns to reduce the increase of the overall file size that is generated. Since MSDRM only understands Unicode licenses,  AD RMS returns Unicode serialized licenses when this flag is present.

Is there a way to enable remote debugging on an AD RMS site?

The AD RMS server does not allow remote debugging. A few options that you have are the following: go through the reporting logs. enable tracing on the AD RMS server, which provides detailed logs. enable debugging through Checked builds. Of these options, enabling tracing is probably the most powerful and typically your best option. For more information, see AD RMS Troubleshooting: server-side tracing

What encryption algorithm does IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS

Currently, the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag specifically refers to the cipher mode used as the symmetric content key is applied to the content. Using this flag downgrades the cipher mode from the default of CBC4K to ECB mode. Over time, however, this flag may also refer to any other changes needed to maintain MSDRM compatibility.

Is there a non-programmatic way to recognize whether a file is already protected with AD RMS?

There’s no direct way of knowing that a file has been encrypted by AD RMS. Using the IpcfIsFileEncrypted() method of the SDK is the quickest way to do so.

Is it possible to also encrypt/decrypt, using File API Beta SDK, such files as stream data?

Stream-based API support has been a consistent ask. It is not available for the current release but we are looking at this.

How can we invoke all IPC methods with invisible or silent mode?

The easiest way to solve this is by using server (IPC_API_MODE_SERVER) mode. When this mode is used, it ensures that we use do not show any privacy prompts. For more information,

API Mode Values  in the AD RMS SDK 2.1 docs.

AD RMS SDK 3.x (iOS, Android, Windows Store Apps)

When is Mac and WP8 SDK coming?

​It is in the works. You'll hear from us in the next couple of months

When will you support creating ad-hoc policies with RMS SDK v3?

​We are in the process of studying this. No firm dates yet but the feature is in consideration

Do you protect and display video files as well in RMS SDKs?

We don't support that yet. At present we do support enabling video files to be wrapped into Pfiles.

What’s the default encryption algorithm without the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag set?

The default encryption algorithm without the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag set is CBC4K. 

Will the new  RMS SDKv3 support AD RMS (or will it always require Azure AD RM connectivity)?

At this time it requires Azure AD RM connectivity. We've made this bet given collaboration needs and their reliance on a cloud identity broker.

Why does the Logon screen pop up a few times with a blank screen after I correctly enter my credentials?

This is a known issue that will be solved in one of the future releases.

I don’t see Ad-hoc Policy selection UI in the protection workflow. Why?

This is being worked upon for a later release.

How will the new SDKs work with AD RMS on-prem servers?

The new SDKs work only with Azure AD RM. As you learnt in the webinar, we will enable the AD RMS-AADRM hybrid scenarios on the server side.

How do get new organizational tenants to try out the SDK and sample application?

To request credentials for Azure AD RM test organizations, please email rmcstbeta@microsoft.com.

I don’t see any test hierarchy discussion here in the documentation. Why?

There’s no test hierarchy concept with the new RMS SDKs. You will always work with the production hierarchy.

Which programming languages do you support for Windows RT application development?

C# for now. We are investigating supporting other programming languages for later milestones.

After I enter proper credentials, I receive the "ADRMS 3.0 SDK Error" message. What might be the reason?

Your device might have moved between mobile and wireless networks and its IP address has changed. You might have tried to consume content published by a user from a tenant that is currently unsupported.

I'm trying to protect or consume content for the first time on the device, and I immediately received the "ADRMS 3.0 SDK Error" message. What might be the reason?

You might have skipped steps required to install certifications on your device. For installation instructions, see the README located in the cer directory in the installation package.

You might have tried to consume content published by a user from a tenant that is currently unsupported.

I included the support package in my Android Java project, and my build failed. Why?

Android support package is already included as part of the ADRMS 3.0 SDK and should not be referenced again from the development project.

How will the new APIs support application validation?

The details remain to be defined but Microsoft's Information Protection (IP) team has acknowledged that the operating environments that the new APIs are designed to be run in pose some new challenges. The concept that Microsoft's IP team is now tracking and considering is similar to how modern App stores support "AppIDs".

 

See Also


Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (2 items)