none
Protect office document Requirements using AD RMS RRS feed

  • Question

  • Hi,

    Should my machine be joined to the domain in order for me to protect an office document using AD RMS? What if I am in workgroup or I am connecting from internet?

    Thanks 

    Thursday, December 20, 2012 7:56 AM

Answers

  • In order for a computer to be able to deal with protected content it has to be activated.

    If you are authoring content for the first time (that is, clicking on one of the "Protect" options, as opposed to consuming already protected content) the client has to be able to discover the AD RMS cluster, and barring it being configured with some manual registry keys, that is done through the Service Connection Point in Active Directory, which has to be reachable by the client and the client has to be configured as a domain member in AD.

    But for consuming content, the story depends on your Office version. Before Office 2010 SP1 the situation was the same: the client has to be able to discover AD RMS either through Active Directory (by querying the Service Connection Point) or through manual configuration in the registry of the Certification URL (see the MSDRM or the Office registry keys at http://technet.microsoft.com/en-us/library/dd772665(v=ws.10).aspx and http://technet.microsoft.com/en-us/library/dd772637(v=ws.10).aspx). After Office 2010 SP1, the Office client can discover the RMS URL from the document being consumed, and no configurations should be needed on the client.

    The dialog you are seeing is what you get when the client cannot discover RMS automatically from the content (because it is earlier than Office 2010 SP1 as it is your case) or from AD (because the client is not domain joined or the domain is unreachable). In such a case you have to preconfigure the client with registry keys as per the links above.

    HTH. 


    Enrique Saggese - Sr. Program Manager - Information Protection - Microsoft Corporation

    Monday, January 7, 2013 12:58 AM

All replies

  • Hi Ahmad,

    RMS will work on a non domain joined machine as long as the user can authenticate to the RMS Server. This requires that the server reachable from the non domain joined machine. The thing you have to think about is activation process. If the machine is not in the domain it will not automatically find the service connection point in AD. You can either override this with registry settings or you send  protected content to the machine and open it there.

    regards,

    Petter 

    Thursday, December 20, 2012 11:16 AM
  • This is what I get when sending a proteced document to a non-domain joined machine inside my local network. This machine can reslove the domain controllers we have.

    Thursday, December 20, 2012 11:42 AM
  • Hi, any idea about my issue? Is there any video tutorial or guide for AD RMS that I can follow? My target is to protect office files and Exchange using AD RMS 2008 R2

    Saturday, December 22, 2012 5:38 AM
  • In order for a computer to be able to deal with protected content it has to be activated.

    If you are authoring content for the first time (that is, clicking on one of the "Protect" options, as opposed to consuming already protected content) the client has to be able to discover the AD RMS cluster, and barring it being configured with some manual registry keys, that is done through the Service Connection Point in Active Directory, which has to be reachable by the client and the client has to be configured as a domain member in AD.

    But for consuming content, the story depends on your Office version. Before Office 2010 SP1 the situation was the same: the client has to be able to discover AD RMS either through Active Directory (by querying the Service Connection Point) or through manual configuration in the registry of the Certification URL (see the MSDRM or the Office registry keys at http://technet.microsoft.com/en-us/library/dd772665(v=ws.10).aspx and http://technet.microsoft.com/en-us/library/dd772637(v=ws.10).aspx). After Office 2010 SP1, the Office client can discover the RMS URL from the document being consumed, and no configurations should be needed on the client.

    The dialog you are seeing is what you get when the client cannot discover RMS automatically from the content (because it is earlier than Office 2010 SP1 as it is your case) or from AD (because the client is not domain joined or the domain is unreachable). In such a case you have to preconfigure the client with registry keys as per the links above.

    HTH. 


    Enrique Saggese - Sr. Program Manager - Information Protection - Microsoft Corporation

    Monday, January 7, 2013 12:58 AM
  • I did not see the Windows version used but after Windows XP client check for SSL Cert installed in the AD RMS cluster must be trusted by client and also client should be able to access the CRL of such cert.

    Regards.

    Cristian

    Tuesday, January 8, 2013 2:11 AM