locked
AD RMS Office 2010 does not give right restriction options RRS feed

  • Question

  • Hi,

    I have installed a AD RMS server role to a dedicated server and followed these instructions: http://technet.microsoft.com/en-us/library/cc753531(v=WS.10).aspx

    I have a domain let say contoso.com and servers are: ADRMS.contoso.com(MS Server 2012), DC1.contoso.com(MS Server 2008 R2) and DB1.contoso.com(MS Server 2008 R2).

    I have configured the AD RMS service to use URL https://rms.conto.com and redirections are done by network traffic controller and DNS which converts the requested address to specific IP(FQDN:ADRMS.contoso.com). It uses HTTPS/SSL. I can logon localy to ADRMS cluster console(Add Cluster>Remote Computer) from the server with the URL rms.conto.com(required a regedit) and also can connect from client machines to https://rms.conto.com/_wmcs/certification/certification.asmx and https://rms.conto.com/_wmcs/licensing/license.asmx. Though I am unable to logon locally to the cluster console using Add Cluster>Local Computer.

    SCP is created to DC1 with serviceBindingInformation = https://rms.conto.com/_wmcs/certification

    Problem is that when I open Word 2010 and create a document and try to do a Restrict Permission by People>Restrict Access, it only offers me Microsoft Live ID or Windows Account. If I choose Windows Account it has problem contacting "restricted permission service".

    Have tried to clear DRM folder from %localAppData%\Microsoft\DRM but no help.

    I also happed to notice a strange log at the ADRMS-server: 

    This Active Directory Rights Management Services (AD RMS) cluster cannot perform an operation on one of the AD RMS databases. Ensure that all AD RMS databases are operating correctly on the network and that the AD RMS service account has read and write permissions to the databases.

    Parameter Reference
    Context: STATIC
    RequestId: N/A
    HelpLink.ProdName: Microsoft SQL Server
    HelpLink.EvtSrc: MSSQLServer
    HelpLink.EvtID: 18456
    HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
    HelpLink.LinkId: 20476
    SqlError-0.State: 1
    SqlError-0.Class: 14
    SqlError-0.Server: DB1
    SqlError-0.Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
    SqlError-0.Number: 18456

    Microsoft.RightsManagementServices.LowSeveritySqlException
            Message: The Database Engine threw this exception in response to an error that can be corrected by the user, such as a missing database object or entity, possible data inconsistency, transaction deadlock, security setting problems, or SQL command syntax error.  Please examine the SqlError details for more information.
            HelpLink.ProdName: Microsoft SQL Server
            HelpLink.EvtSrc: MSSQLServer
            HelpLink.EvtID: 18456
            HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
            HelpLink.LinkId: 20476
            SqlError-0.State: 1
            SqlError-0.Class: 14
            SqlError-0.Server: DB1
            SqlError-0.Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
            SqlError-0.Number: 18456
      + System.Data.SqlClient.SqlException
      +         Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
      +         HelpLink.ProdName: Microsoft SQL Server
      +         HelpLink.EvtSrc: MSSQLServer
      +         HelpLink.EvtID: 18456
      +         HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
      +         HelpLink.LinkId: 20476

    Why it tries to connect to SQL server(DB1) with Anonymous -account? I have installed AD RMS with ADRMSADMIN -account(with correct permissions) and configured it to use ADRMSSRVC -account as service account.

    Other thing is that I can't change that service account with ADRMSADMIN from the ADRMS -console because the "Next" is grey all the time. I always have to log in to management console using "remote" cause "local machine" gives me error message. Probably this is because the cluster address is different than the machine name that is hosting the service(AD RMS -server role).

    Client computer have Windows7+Office 2010 Professional Plus. Client computers does not have these registry keys:HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM , HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\MSDRM but have this: HKEY_LOCAL_MACHINE\Software\Microsoft\DRM but empty.

    HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM is present and has "CachedCorpLicenseServer" and "ServiceLocations" with correct url values. Should the ServiceLocations be named like "1|2|" 2|2|?





    • Edited by JouniPK Tuesday, June 11, 2013 11:36 AM
    Saturday, May 18, 2013 9:04 AM

Answers

  • Services is now working propably how it should but now there is a problem with templates not distributing properly and Office 2013. After spending lots of hours figuring out and reading MS ADRMS insructions found out that difference between rms clients in Office 2010 and 2013 is that those use different template folders and that registry keys are found under MSIPC.
    • Marked as answer by JouniPK Friday, August 9, 2013 7:33 AM
    Wednesday, July 17, 2013 8:37 AM
  • On top of that Office versions use different template folders Office 2010 does not know how to figure out Cryptographic Mode 2. Needed to install this hotfix:http://support.microsoft.com/kb/2627273  to get it working with both Office versions.
    • Marked as answer by JouniPK Friday, August 9, 2013 7:33 AM
    Friday, August 9, 2013 7:33 AM

All replies

  • Any ideas on this issue? Is there some crucial information missing here that could help you pinpoint the reason for this behavior?
    Monday, May 27, 2013 7:02 AM
  • Anything guys?
    Tuesday, June 11, 2013 6:32 AM
  • -- Cross-post --

    Hi JouniPK,

    I think we share a similar problem, at least I get a similar outcome, but in a different configuration. The login I get in Word 2010 is a popup box for Windows Live ID. See my post about "Azure AD RMS and Office 2010".

    I am interested in a solution for a mixed user environment: internal users in an Office 365 / Sharepoint Online domain, plus external users with an individual Microsoft account (name@outlook.com). We don't have an on-premises Active Directory server for this purpose and prefer not to install it.

    Tuesday, June 11, 2013 9:21 AM
  • Is the problem that the domains are different between server FQDNs and the site? Now with the new Office 2013 Word when I try to protect the document with ADRMS(protect document>restrict access>connect to digital rights management servers and get templates) I get a promt "Sorry, something went wrong opening Information Rights Management protected content. The request is not supported"
    Friday, June 28, 2013 8:03 AM
  • Hi JouniPK,

    AD RMS creates an SCP during installation, and only one SCP can exist per forest. This SCP provides automatic discovery of the RMS Cluster URL, this URL should be : https://rms.contoso.com:433 ... (rms alias for yr adrms.contoso.com)

     So you have to check this URL on yr DC (ADSIEdit.msc) and on yr RMS (Cluster properties).

    Good luck,


    Saturday, June 29, 2013 10:22 AM
  • Checked the SCP on our AD and it is the same as the ADRMS cluster URL. But I haven't used the port number after the domain part (:443). Is that the problem? Installation of the ADRMS cluster created that SCP and it can be found on client computer register but not sure which keys are the correct ones and are there some missing.
    Thursday, July 11, 2013 11:42 AM
  • Ran the IRMCheck and it got me the following report:

    Also ran the sigverif -tool to check that there is any unverified files in the system but didn't find any. Office 2013 is succesfully installed and running.

    Monday, July 15, 2013 8:30 AM
  • Disabled "ASP.NET Impersonation" from cluster server IIS and now getting somewhere when trying to restrict access to a Word document.
    Monday, July 15, 2013 10:24 AM
  • Services is now working propably how it should but now there is a problem with templates not distributing properly and Office 2013. After spending lots of hours figuring out and reading MS ADRMS insructions found out that difference between rms clients in Office 2010 and 2013 is that those use different template folders and that registry keys are found under MSIPC.
    • Marked as answer by JouniPK Friday, August 9, 2013 7:33 AM
    Wednesday, July 17, 2013 8:37 AM
  • On top of that Office versions use different template folders Office 2010 does not know how to figure out Cryptographic Mode 2. Needed to install this hotfix:http://support.microsoft.com/kb/2627273  to get it working with both Office versions.
    • Marked as answer by JouniPK Friday, August 9, 2013 7:33 AM
    Friday, August 9, 2013 7:33 AM
  • If your AD RMS is installed with Cryptographic Mode 2(2048 Encryption), following things are required
     ********Windows 7 RTM, it required this windows updates (to supports Cryptographic Mode 2 - 2048 Encryption)
      https://support.microsoft.com/en-us/kb/2627272
     ********Windows 7 with SP1 and this updates (to supports Cryptographic Mode 2 - 2048 Encryption)
      https://support.microsoft.com/en-us/kb/2627273
      https://support.microsoft.com/en-us/kb/2843630
     ********Office 2010 is required SP2
      http://www.microsoft.com/en-us/download/details.aspx?id=39667
     ********Activate your Licenses (  Office Professional Plus 2010 is required to download  AD RMS Template )

    AD RMS Templates do not appear in Outlook 2010
      Define RMS Templates from GPO (Using Group Policy with Office Administrative Templates)
       Template Patch will be """%localappdata%\Microsoft\DRM\Templates"""
      Download Template (http://social.technet.microsoft.com/wiki/contents/articles/3911.how-to-deploy-ad-rms-policy-templates.aspx )
       Still it will not work as your default Office policy files do not properly expand the %localappdata% variable and the GPO setting does not work as expected
      http://social.technet.microsoft.com/wiki/contents/articles/8197.rms-templates-managed-by-group-policy-admintemplatepath.aspx
     
    Better to follow this site to change register Key (use same Office GPO from AD ), then Office 2010 Users will able to view the RMS Templates
      https://stevenjwkennedy.wordpress.com/2011/02/22/ad-rms-client-side/

    Enable scheduled task
      The automated scheduled task can be enabled from the command prompt or though Systems Management Server or Group Policy by using the following command:
      schtasks /Change /TN "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)" /ENABLE 

    Change refresh interval to download rms templates
      (even if you manually run  scheduled task, by default it will update by after 7 days - as it will check last updated time stamp from local registry key
      Run task Scheduler ( if default refresh internal need to be changed  , change the below mentioned register values )
       https://technet.microsoft.com/en-us/library/cc771971(v=ws.10).aspx
       http://blogs.msdn.com/b/rms/archive/2009/06/30/templates-distribution-and-why-you-should-care.aspx
       
    Force to download RMS templates immediately 
      Delete last updated time stamp from registerkey(HKCU\Software\Microsoft\MSDRM\TemplateManagement\lastUpdatedTime) - delete only valuse on it.
      Delete Client templates ( The client stores templates here: %userprofile%\AppData\Local\Microsoft\DRM\templates)
      Run automated tasks for RMS (The automated scheduled task) 


    Q. How often will the automated task run once it’s enabled?
     A. Once the task is enabled, the client will fetch templates (assuming it has never done this before). Afterwards, it creates the following registry key and populates it with the current

    time: HKCU\Software\Microsoft\MSDRM\TemplateManagement\lastUpdatedTime. Moving forward, the task checks the current time against the value in this registry key. If the date is off by 7 days or

    more, the client attempts to fetch templates again and the lastUpdatedTime is refreshed with the new date.
    Q. So the default period is 7 days – can I change it?
     A. Yes, this can be configured by setting the following registry key: HKCU\Software\Microsoft\MSDRM\TemplateManagement\updateFrequency (DWORD).
    Q. Is the automated task enabled out-of-the-box?
     A. No, the automated task is not enabled when Windows is installed, since the majority of Windows users are not in an enterprise. 
    Q. Where does the client store the templates?
     A. The client stores templates here: %userprofile%\AppData\Local\Microsoft\DRM\templates.
    Q. Is this functionality available on Windows XP, Windows Server 2003, or Windows Vista RTM?
     A. No, this functionality is provided only on Vista SP1 and above.
    Q. Is this functionality available for Windows Rights Management Services v1.0 SPx on Windows Server 2003?
     A. No, this functionality is available only on Windows Server 2008 and above

    Tuesday, September 8, 2015 10:03 AM