locked
Unusual behavior with AD RMS - You do not have the credentials that allow you to open this document. But user does have rights RRS feed

  • Question

  • Ok, so here is the issue.

    Users are using Office 2010 and a few users recieve a prompt when opening a RMS protected document that states. "You do not have the credentials that allow you to open this document......." The three options available are to "Change User", "Yes", or "No". This does not happen with all users!

    If the user clicks "Change User", then the users ID is already selected in the new dialog and clicking "Ok" will result in the document opening as it should. If the user selects the check box to "Always use this account" then they are no longer promted when opening future documents. However, I need to find the cause of this behavior so that it can be rectified so that no users recieve this prompt. Any ideas as to what could cause this behavior on random users?

    Also, we have executed the IRMCheck (newest version) on these PCs and all tests pass. The behavior also seems to follow the users with the popup regardless of the machine they use. So I am thinking this is related to something in the AD account but have not been able to isolate the issue just yet.

    Thanks in advance!


    Steve Angell - IAM Practice Director http://www.InfraScience.com)

    Tuesday, May 22, 2012 5:34 PM

Answers

  • Hi Steve,

    Could do an IISreset on the ADRMS box and then try accessing the intranet licensing URL with those User accounts?

    http(or https)://RMS_Cluster_Name /_wmcs/Licensing

    Is it still prompting you for authentication twice?

    Assuming everything is installed as default, you can find the corresponding access enteries for the above events in the IIS logs on the ADRMS server.

    Plus is this a single box deployment or you are load balancing a few boxes?


    Blog: http://OutOfScope.info | @ Twitter: @darthsydd | ADRMS Wiki Portal: Technet Wiki

    Tuesday, May 22, 2012 6:31 PM
  • Hi,

    We have performed a few iisresets but no change. Also we have verified access to the Licensing/license.asmx and no prompts occur. This is a single box deployment, customer may add an additional server later but for now one was deployed.

    What is odd is this seems to be isolated to Office 2010. We are unable to reproduce on Office 2007.

    Regards,


    Steve Angell - IAM Practice Director http://www.InfraScience.com)

    Tuesday, May 22, 2012 8:20 PM
  • Wednesday, June 20, 2012 2:43 PM

All replies

  • Hi Steve,

    Could do an IISreset on the ADRMS box and then try accessing the intranet licensing URL with those User accounts?

    http(or https)://RMS_Cluster_Name /_wmcs/Licensing

    Is it still prompting you for authentication twice?

    Assuming everything is installed as default, you can find the corresponding access enteries for the above events in the IIS logs on the ADRMS server.

    Plus is this a single box deployment or you are load balancing a few boxes?


    Blog: http://OutOfScope.info | @ Twitter: @darthsydd | ADRMS Wiki Portal: Technet Wiki

    Tuesday, May 22, 2012 6:31 PM
  • Hi,

    We have performed a few iisresets but no change. Also we have verified access to the Licensing/license.asmx and no prompts occur. This is a single box deployment, customer may add an additional server later but for now one was deployed.

    What is odd is this seems to be isolated to Office 2010. We are unable to reproduce on Office 2007.

    Regards,


    Steve Angell - IAM Practice Director http://www.InfraScience.com)

    Tuesday, May 22, 2012 8:20 PM
  • Did you check the IIS logs on the ADRMS server, should be under C:\inetpub\logs\LogFiles

    You should see each corresponding client access entery and error number there.

    What is the OS and Office 2010 versions and patch/ SP updates?


    Blog: http://OutOfScope.info | @ Twitter: @darthsydd | ADRMS Wiki Portal: Technet Wiki

    Wednesday, May 23, 2012 5:07 AM
  • OS is Windows 7 Office is 2010 SP1. I have testing this exact same scenario multiple times in my lab and can not duplicate the problem. The issue only occurs when opening documents where RMS rights have already been applied.

    I did recreate the error and capured the log for the attempt and the log entries are pasted below:

    #Software: Microsoft Internet Information Services 7.5
    #Version: 1.0
    #Date: 2012-05-30 00:12:22
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2012-05-30 00:12:22 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.X.X.X Windows+Rights+Management+Client 401 2 5 0
    2012-05-30 00:12:22 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\RMSSERVER$ 10.X.X.X Windows+Rights+Management+Client 200 0 64 140
    2012-05-30 00:12:22 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.X.X.X Windows+Rights+Management+Client 401 2 5 15
    2012-05-30 00:12:22 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\RMSSERVER$ 10.X.X.X Windows+Rights+Management+Client 200 0 64 0
    #Software: Microsoft Internet Information Services 7.5
    #Version: 1.0
    #Date: 2012-05-30 01:13:16
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2012-05-30 01:13:16 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.Y.Y.Y Windows+Rights+Management+Client 401 2 5 593
    2012-05-30 01:13:16 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\randomuser 10.Y.Y.Y Windows+Rights+Management+Client 200 0 0 390
    2012-05-30 01:13:17 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\randomuser 10.Y.Y.Y Windows+Rights+Management+Client 200 0 0 500
    2012-05-30 01:26:04 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.Z.Z.Z Windows+Rights+Management+Client 401 2 5 593
    2012-05-30 01:26:04 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\RFCNCAS2$ 10.Z.Z.Z Windows+Rights+Management+Client 200 0 64 328
    2012-05-30 01:26:06 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.Z.Z.Z Windows+Rights+Management+Client 401 2 5 593
    2012-05-30 01:26:06 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\RFCNCAS2$ 10.Z.Z.Z Windows+Rights+Management+Client 200 0 64 312
    2012-05-30 01:27:26 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.237.2.116 Windows+Rights+Management+Client 401 2 5 578
    2012-05-30 01:27:26 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\RFCNCAS1$ 10.237.2.116 Windows+Rights+Management+Client 200 0 64 296
    2012-05-30 01:27:28 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.237.2.116 Windows+Rights+Management+Client 401 2 5 578
    2012-05-30 01:27:28 10.200.2.150 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\RFCNCAS1$ 10.237.2.116 Windows+Rights+Management+Client 200 0 64 312


    Steve Angell - IAM Practice Director http://www.InfraScience.com)

    Thursday, June 7, 2012 11:59 PM
  • Hi,

    do you have SCP enabled or is the RMS location configured by registry?

    Martin

    Monday, June 11, 2012 7:05 AM
  • SCP is registered. However I have tried both methods, SCP and Registry override and the results are the same with either method.

    Steve Angell - IAM Practice Director http://www.InfraScience.com)

    Tuesday, June 19, 2012 3:56 PM
  • Wednesday, June 20, 2012 2:43 PM