locked
failed to open RMS protect e-mail with Revocation list enabled template RRS feed

  • Question

  • Dear all,

    I am setting up Windows 2008 R2 RMS server. All RMS functions are working well until I am trying to use the RMS revocation list.

    I created and signed the revocation xml with the guide below: (This doc is for Win2003, is it also applied to Win2008?)

    http://technet.microsoft.com/en-us/library/cc720208%28WS.10%29.aspx

    I then created a RMS template with the revocation xml. The revocation list part is almost empty of course.

    If I send a RMS protected mail with this template. The reciepient cannot open this email or document. The error is:

    You do not have credential to allow you to open this message ...

    The debugview trace shows:

    ===========================

    [3140] [msdrm]:+DRMCreateBoundLicense
    [3140] Created the enabling principal
    [3140] [msdrm]:-DRMCreateBoundLicense HR=0x8004cf28

    ===========================

    according to microsoft document, error means E_DRM_BIND_NO_APPLICABLE_REVOCATION_LIST

    It means there is some format error in the list. but I cannot find. please take a look at the list below and point me some hints. thanks a lot!

    ===============

    <?xml version="1.0" ?>
    <XrML xml:space="preserve" version="1.2">
      <BODY type="LICENSE" version="3.0">
        <ISSUEDTIME>2010-09-16T03:20</ISSUEDTIME>
        <DESCRIPTOR>
          <OBJECT type="Revocation-List">
            <ID type="MS-GUID">{d6373cba-01f1-4f32-ac58-260f580af0f8}</ID>
          </OBJECT>
        </DESCRIPTOR>
    <ISSUER>
          <OBJECT type="Revocation">
            <ID type="acsii-tag">External revocation authority</ID>
            <NAME>Revocation Point</NAME>
            <ADDRESS type="URL">https://adrms.fabrikam.local/fab_revocation.xml</ADDRESS>
          </OBJECT>
          <PUBLICKEY><ALGORITHM>RSA</ALGORITHM><PARAMETER name="public-exponent"><VALUE encoding="integer32">65537</VALUE></PARAMETER><PARAMETER name="modulus"><VALUE encoding="base64" size="1024">K09Pgq2iyUGv7kWf86HMhVnfGCfKNOFEpMh8u1FXZBzoOomr97yRsTDvbrprJTqRUIqvEmZ3EaS7xt5AIgGj1XbAtkk8mYCoAdaQYU6sPb4T3F0uBx8rnJ2V8SPYNoDwPA67Ufq9fMtqJ3gV114zXzG71C32Xs51z3Ip3uc7Ces=</VALUE></PARAMETER></PUBLICKEY>
        </ISSUER>
    <REVOCATIONLIST>
    <REVOKE category="content" type="content-id">
    <OBJECT type="Microsoft Office Document">
    <ID type="MS-GUID">{8702641D-3512-4AA4-A584-84C703A5B5C0}</ID>
    </OBJECT>
    </REVOKE>
    </REVOCATIONLIST>
    </BODY><SIGNATURE><ALGORITHM>RSA PKCS#1-V1.5</ALGORITHM><DIGEST><ALGORITHM>SHA1</ALGORITHM></DIGEST><VALUE encoding="base64" size="1024">LUzb7K4z+WEwXZomY2KPrHgkRABX4+qqjD2FhiZmM1U601xhgShrUKZ+fNaaZZB0i/tN82r0v0YLoFGCMp3sNXMNK72r5/Yg7YuKFAKtCWtLEzi8IPMWhAhh4jF2Jf88e9GObze8A1U4eXWRzNwKQLO5eWxZp/s8roz8bXXooXU=</VALUE></SIGNATURE></XrML>

    =======================

    Sunday, September 19, 2010 4:01 AM

Answers

  • Looks like you pasted this right from the documentation...which has a document bug.

    <ISSUER>
          <OBJECT type="Revocation">
            <ID type="acsii-tag">External revocation authority</ID>
            <NAME>Revocation Point</NAME>
            <ADDRESS type="URL">https://adrms.fabrikam.local/fab_revocation.xml</ADDRESS>
          </OBJECT>
          <PUBLICKEY><ALGORITHM>RSA</ALGORITHM><PARAMETER name="public-exponent"><VALUE encoding="integer32">65537</VALUE></PARAMETER><PARAMETER name="modulus"><VALUE encoding="base64" size="1024">K09Pgq2iyUGv7kWf86HMhVnfGCfKNOFEpMh8u1FXZBzoOomr97yRsTDvbrprJTqRUIqvEmZ3EaS7xt5AIgGj1XbAtkk8mYCoAdaQYU6sPb4T3F0uBx8rnJ2V8SPYNoDwPA67Ufq9fMtqJ3gV114zXzG71C32Xs51z3Ip3uc7Ces=</VALUE></PARAMETER></PUBLICKEY>
        </ISSUER>

    Notice acsii-tag should actually be ascii-tag.

    We have a bug filed to get the documentation fixed.

    Also ensure that this line:

    <XrML xml:space="preserve" version="1.2">

    Is actually using standard double quotes and not curly quotes. That is another problem with the online code.

    Thanks.

    Jason

    Tuesday, September 21, 2010 2:04 PM
  • Just an update, the documentation at http://technet.microsoft.com/en-us/library/cc720208%28WS.10%29.aspx was fixed per the bug Jason mentioned filing. THis should not be an issue in the future for others.

    Thanks!


    Brad Mahugh
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue.

    Monday, April 8, 2013 9:23 PM

All replies

  • Looks like you pasted this right from the documentation...which has a document bug.

    <ISSUER>
          <OBJECT type="Revocation">
            <ID type="acsii-tag">External revocation authority</ID>
            <NAME>Revocation Point</NAME>
            <ADDRESS type="URL">https://adrms.fabrikam.local/fab_revocation.xml</ADDRESS>
          </OBJECT>
          <PUBLICKEY><ALGORITHM>RSA</ALGORITHM><PARAMETER name="public-exponent"><VALUE encoding="integer32">65537</VALUE></PARAMETER><PARAMETER name="modulus"><VALUE encoding="base64" size="1024">K09Pgq2iyUGv7kWf86HMhVnfGCfKNOFEpMh8u1FXZBzoOomr97yRsTDvbrprJTqRUIqvEmZ3EaS7xt5AIgGj1XbAtkk8mYCoAdaQYU6sPb4T3F0uBx8rnJ2V8SPYNoDwPA67Ufq9fMtqJ3gV114zXzG71C32Xs51z3Ip3uc7Ces=</VALUE></PARAMETER></PUBLICKEY>
        </ISSUER>

    Notice acsii-tag should actually be ascii-tag.

    We have a bug filed to get the documentation fixed.

    Also ensure that this line:

    <XrML xml:space="preserve" version="1.2">

    Is actually using standard double quotes and not curly quotes. That is another problem with the online code.

    Thanks.

    Jason

    Tuesday, September 21, 2010 2:04 PM
  • Just an update, the documentation at http://technet.microsoft.com/en-us/library/cc720208%28WS.10%29.aspx was fixed per the bug Jason mentioned filing. THis should not be an issue in the future for others.

    Thanks!


    Brad Mahugh
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue.

    Monday, April 8, 2013 9:23 PM