none
IRM and Exchange 2013 OWA RRS feed

  • Question

  • Outlook (2010 SP2) and OWA (Exchange 2013 CU6) have different behavior when viewing a message secured with AD RMS.

    I have enabled IRM successfully for internal use.  I've set a test policy that allows messages to only be viewed for one day.  After one day, viewing secured messages via Outlook is blocked as expected.  The issue is when I view the message via OWA, I can see the body content.  The content is not protected, only attachments are protected.

    A message that is intended to be protected but without attachments can be viewed via OWA even if it has been set to expire.  Viewing the same message in Outlook is prohibited, as it should be.

    I tried to open a thread in the Exchange forum but they said that it is a RMS issue and that you guys would know what to do.

    http://social.technet.microsoft.com/Forums/en-US/6b253c68-956c-43ef-a071-0b76e537ef56/owa-and-irm?forum=exchangesvrclients

    Please help!

    Friday, September 5, 2014 3:52 AM

Answers

  • DavidR1,

    I confirm behaviour you described: Outlook rich client cannot open expired content message, however OWA is displaying content and gives me right to download attachement.

    This is how I had thought it would work as OWA works under ADRMS super user account, so it can decrypt any message/document. That's why you see content of the email in OWA (I'm not saying this is the way it should be, but it is rather expected). If you download and open document from OWA expired content email and you try to open with f.e. Word - you are opening in users context, which doesn't have rights because document permissions expired. 

    The same thing would happen if you see the senders Outlook and OWA  - as a content owner, sender will also be able to read content even if it has expired already.

    Hope it helps.

    Outlook:

    OWA:


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    • Marked as answer by DavidR1 Wednesday, September 17, 2014 6:15 PM
    Wednesday, September 17, 2014 7:26 AM

All replies

  • Hi DavidR1,

    Are you using Transport Protection Rules or Outlook Protection Rules or are you manually picking template?

    Try to run Set-IrmConfiguraton -RefreshServerCertificates on Exchange side?


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Saturday, September 13, 2014 4:04 PM
  • Hello,

    Thank you so much for replying!

    This is by manually choosing a template.  I've confirmed on two separate environments.  Before I clear out all certificates and cache, can you confirm that you are you able to see it working correctly on your environment?  So far, I haven't found a single person that actually has RMS installed in their Exchange 2013 environment or one that can confirm that their OWA doesn't ignore the RMS expired attribute.

    Even MS engineers on the Exchange forums are silent on this matter.

    Sunday, September 14, 2014 3:36 AM
  • What permissions you had setup in your template? Is it content expiration or license expiration?

    I'll try that today/tomorrow and let you know.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Monday, September 15, 2014 6:13 PM
  • Thank you for giving it a shot!  Here are the step by step instructions.

    Open AD RMS Management
    Navigate to Rights Policy Templates
    Click on Create distributed rights policy template
    Click Add - Fill in Name and Description.  I called mine 'View Only (1 Day)'
    Click Add again and then Next

    Add User Rights Screen
    Users and Rights - click Add.  Select Anyone.
    Rights for ANYONE.  Only check the box marked 'View'.  Leave all other boxes unchecked.
    Grant owner(author) full control right box, leave default (checked)
    Rights request URL: leave default (blank)
    Click Next

    Specify Expiration Policy Screen
    Content Expiration - Expires after the following duration - 1 day
    Use License expiration - Expires after the following duration - 1 day
    Click Next

    Specify Extended Policy
    Enable user to view protect content using a browser add-on: checked
    Require a new use license every time content is consumed: checked
    Click Next

    Specify Revocation Policy
    Require revocation box.  Leave default (unchecked)

    Click finish


    Monday, September 15, 2014 6:25 PM
  • DavidR1,

    I confirm behaviour you described: Outlook rich client cannot open expired content message, however OWA is displaying content and gives me right to download attachement.

    This is how I had thought it would work as OWA works under ADRMS super user account, so it can decrypt any message/document. That's why you see content of the email in OWA (I'm not saying this is the way it should be, but it is rather expected). If you download and open document from OWA expired content email and you try to open with f.e. Word - you are opening in users context, which doesn't have rights because document permissions expired. 

    The same thing would happen if you see the senders Outlook and OWA  - as a content owner, sender will also be able to read content even if it has expired already.

    Hope it helps.

    Outlook:

    OWA:


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    • Marked as answer by DavidR1 Wednesday, September 17, 2014 6:15 PM
    Wednesday, September 17, 2014 7:26 AM
  • Thank you for that reply and the research that you did.  The only interesting thing is that the other restrictions are applied.  You will see that your ability to reply, reply all, and forward is greyed out as it should be.  In fact, all other message handling is addressed properly.  If you open the message from the sender viewpoint in OWA, those options are not grayed out as it should be.

    If it was the case the elevated permissions were used for all OWA message handling, then nothing should be disabled.

    But anyway, I also think that you are correct.  I would guess that OWA uses elevated access to open a message and then personal access to determine what further actions are permitted.  Any attachments are of course handled with personal access credentials.

    Finally, I would like to let you know that I've gotten in touch with Tony Redmond who then spoke with actual Exchange engineers at MS.  They confirmed that this is a bug but not one that they are rushing to fix.  It probably won't be fixed until CU8 or so.

    Thank you again so much for taking out the time to research and even duplicate this.  I don't know many others on these forums that would do this.  I'm happy to click your comment as correct and the most helpful.  Even the MS engineers on the other forum wouldn't try to reproduce and they were just telling me to pay and open a ticket.  :)

    Wednesday, September 17, 2014 6:15 PM
  • Thank you for your update also on this issue as this is very interesting for me as well.

    I'm happy I could help just a bit!


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Wednesday, September 17, 2014 6:25 PM
  • Just wanted to jump in saying we have the same issue with Outlook 2013 clients and Exchange 2013 SP1.

    Content that has expired cannot be viewed in Outlook 2013 but can be viewed in OWA 2013.

    I had a MS engineer working on a ADRMS content expiration case when we discovered this bug.

    I will request MS to confirm this is a bug via email as well.

    Wednesday, January 21, 2015 6:40 AM
  • Hi,

    is there any update for this issue? I have same problem with Exchange Server 2013 CU 11 today!

    Thanks,


    Soheil

    Monday, May 30, 2016 9:26 AM
  • Surprise!!! Over 3 years later, and Exchange 2016 and ADRMS on Server 2016, and this bug still hasn't gotten fixed...! Just... wow...! :/

    Monday, September 30, 2019 4:17 PM