Out of domain issue with XPSViewer RRS feed

  • Question

  • Hi,

    have deployed adRMS production server with intranet and extranet public address.

    Using external certificate for https. Local domain Win7 client work without issue.

    I have deployed a non-domain Win7 machine without domain network access and set :

    1. Registry key for adrms service discovery.

    2. Added external URL to Local Intranet.

    Opening XPSViewer with xps doc and trying to set permissions always returns error (cannot activate any rights management account on this machine).

    Running latest IRMCheck returns all green except for :

    14. Domain Membership WARNING Member of WGTEST workgroup. You will be unable to acquire permanent Enterprise credentials or use "Everyone" permissions without being a member of a domain
    Action:Contact your network administrator for more information 

    17. User Email in AD ERROR The mail attribute for the logged on user is not set in the AD
    Action:Please set the mail attribute for the logged on user in the AD or contact your domain administrator 

    The #14 is ok for me but i believe the #17 is the problem. 

    How can i work around it because the client is in workgroup and will not reach/be member of domain.

    I've already tried to open rms link in IE and store credentials (reaching certification web service works ok) but it will not work.

    I'll be having 120 PCs on production soon and kind of worried (to say the least).

    Thans for an help you can share.

    Best regards,


    Tuesday, May 21, 2013 10:23 PM


All replies

  • Ad 17, it is crucial that the user that you use to access the RMS has email attribute specified in AD. This is independent from the fact if the user's workstation is domain joined or not.

    Also the certificate you use to protect SSL comunications must be trusted on the client side.

    BTW. have you tried to protect a document using Office (just for debugging purposes).


    Wednesday, May 22, 2013 8:28 AM
  • Hi Martin,

    The IIS certificate is trusted (not a self signed). Opening link https://public.rms.name/_wcms/Certification/somesresource.ext will not display untrusted message (only the expected authentication dialog)

    Office is not installed on the client so i cannot use it for testing.

    Cleaning local DRM certs would make no diference.

    After this problem with XPS (i was trying to get my own app to work and doing some testing) i've returned to my app (c# using System.Security.RightsManagement-> MSDRM) and tweeking the authentication (switch to temporary RAC instead of permanent) made it working as expected. Initial version had worked only in domain joined scenario.

    But not sure why XPSViewer is not working on Win7 client.

    So i think it is not related to client configuration but something else...

    Any Office dependencies ? 

    Thanks for your time Martin.


    Wednesday, May 22, 2013 8:54 AM
  • If you are accessing RMS from non-domain joined computer you'll get a temporary RAC ( http://technet.microsoft.com/en-us/library/cc747725(v=ws.10).aspx#BKMK_14 ). Don't know though if XPS viewer has issues with this, I've never tested XPS viewer protection ...

    I guess you should check this http://social.msdn.microsoft.com/forums/en-US/windowsxps/thread/f098f044-6d60-41b9-bc01-1417e06b7b62 it might be helpful.


    Martin Rublik

    EDIT1: I see the links are broken, you need to download SDK and compile the tools http://www.microsoft.com/en-us/download/details.aspx?id=15902

    EDIT2: I suggest you install Office on one machine a test it first. As it might be laborious to compile and use the tools from SDK. This way we'll see if this is the problem.

    Wednesday, May 22, 2013 9:05 AM
  • As i cannot change the setup of the current machine where i'm having this issue, i will create a test VM and run the same procedures on them to try to replicate this issue.

    Publishing (and not consuming) with XPSViewer on non-domain might be the problem/question (not using Live ID). 

    I will share any findings that are relevant.

    Martin, once again thanks for your effort


    Wednesday, May 22, 2013 9:46 AM