locked
Troubleshoot "Simple Delegation" RRS feed

  • Question

  • Hi

    How can I troubleshoot simple delegation in AD RMS running on Windows Server 2012 R2?

    I set it up according to http://support.microsoft.com/kb/2605692/en. BTW, the LDIF files are incorrect, there are empty lines missing, for example, infront of “dn: cn=User,cn=Schema,cn=Configuration,dc=x”.

    I set Set-ItemProperty -path . –Name IsEnabled –Value $true and also verified it in the SQL database.

    The msRMSDelegator attribute of the user Assistant contains the distinguishedName of the user Big.Boss.

    However, the user Assistant is not allowed to open a file protected for Big.Boss.

    Do I have to wait a certain amount of hours / days until this change is recognized?

    I tried to enable tracing - http://msdn.microsoft.com/en-us/library/hh535245(v=vs.85).aspx

    But I was not successful, so far.

    ##

    C:\Windows\system32>wevtutil sl Microsoft-RMS-MSIPC/Debug /e:true /l:4

    **** Warning: Enabling this type of log clears it.  Do you want to enable and clear this log? [y/n]:

    y

    Failed to save configuration or activate log Microsoft-RMS-MSIPC/Debug. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.

    C:\Windows\system32>wevtutil sl Microsoft-RMS-MSIPC/Debug /e:false /l:4

    C:\Windows\system32>wevtutil sl Microsoft-RMS-MSIPC/Debug /e:true /l:4

    **** Warning: Enabling this type of log clears it.  Do you want to enable and clear this log? [y/n]:

    y

    C:\Windows\system32>eventvwr

    ##

    However, I get the same error when I try to access “Application and Services Logs\Microsoft\RMS\MSIPC\Debug”

    Let’s assume it would work. Is my assumption correct that the user Assistant should have the same RMS rights on EVERY document where Big.Boss has rights?

    Currently I am not sure in which situation I would like to use this feature. I believe it is very likely that the Big.Boss will come up with the request, okay in 99% of the cases the assistant should have the same rights, but in these cases he should not be able to have the same rights…

    Thanks for your help.

    Thursday, January 9, 2014 9:38 PM

All replies

  • I waited until the next morning and did not change any configuration setting. Now simple delegation is working.

    The Assistant user can access all RMS protected documents with RMS rights assigned to Big.Boss.
    Is it possible to limit this feature to a subset of the documents?
    I assume it is not possible.

    Do you know which configuration property defines the time how long I have to wait until the simple delegation feature is active?
    Maybe a variable in the SQL database defines this.

    How can I troubleshoot / trace what RMS is doing in the background?

    Friday, January 10, 2014 8:31 AM
  • RMS caches all AD data for a default of 12 hours (720 minutes, as it is expressed in its configuration). This includes the delegation attributes, Group membership and user properties.

    This is controlled by some settings stored in the configuration database in the ClusterPolicies table, you can lower the value from 720 minutes to one hour if you need to, though it is recommended not to lower it too much or performance will be impacted by insufficient caching of user attributes.

    You can troubleshoot this sort of issues by obtaining a debugview trace. Look up "Debug View", "AD RMS" and "server side tracing" and you'll find an article that explains how to turn it on. It is very useful to figure out how exactly AD RMS is performing its operations internally.

    HTH


    Enrique Saggese - Sr. Program Manager - Information Protection - Microsoft Corporation

    Monday, July 14, 2014 6:56 PM