locked
Can't get sample app to authenticate RRS feed

  • Question

  • Hi,

    I'm trying to get the RmsFileWatcher sample app to work with Cloud/Azure-based RMS.

    I've confirmed with Office that I can use the RMS service for my onmicrosoft.com account and protect documents (though note that there are serious problems with caching - even if I log out of windows and back in again as a different user it still seems to think I'm the previous user, and lets me open documents I shouldn't be able to), however I now need to know how to get my own code to use the IpC API in order to programmatically access RMS information.

    I've set the necessary registry keys, copied various DLLs around, run genmanifest, and added

    IpcSetAPIMode(APIMode.Server) to my sample but it just keeps giving me:

    Microsoft.InformationProtectionAndControl.InformationProtectionException: The operation being requested was not performed because the user has not been authenticated. HRESULT: 0x800704DC

       at Microsoft.InformationProtectionAndControl.SafeNativeMethods.ThrowOnErrorCode(Int32 hrError) in c:\dev\dylan\Sandbox\rms-samples-for-net-master\IpcManagedAPI\SafeNativeMethods.cs:line 1760

       at Microsoft.InformationProtectionAndControl.SafeNativeMethods.IpcGetTemplateList(ConnectionInfo connectionInfo, Boolean forceDownload, Boolean suppressUI, Boolean offline, Boolean hasUserConsent, Form parentForm, CultureInfo cultureInfo, SymmetricKeyCredential symmKey) in c:\dev\dylan\Sandbox\rms-samples-for-net-master\IpcManagedAPI\SafeNativeMethods.cs:line 149

       at RmsFileWatcher.FormRmsFileWatcher.populatePolicyList() in c:\dev\dylan\Sandbox\rms-samples-for-net-master\RmsFileWatcher\FormRmsFileWatcher.cs:line 276

     etc.

    I've tried tweaking things to ensure that the UI is *not* suppressed (i.e., I'm expecting it to prompt for credentials), but to no avail.

    Having said all this, even if I can get this to work, what we actually need is for this to all work from a web service whereby:

    a) The executable is w3wp.exe - and we won't have permission to generate a manifest etc. for it, so is w3wp.exe already trusted for RMS?

    b) We can't be prompting for credentials, we need to somehow supply them. w3wp will be running as a system account and we won't have the ability to specify an email address via Active Directory (which I'd seen suggested might work, though I haven't tried it).

    Any assistance much appreciated,

    Dylan

     

     

    Sunday, February 1, 2015 11:37 PM

All replies

  • NB I've tried using SymmetricKeyCredential too but get the same error. It's rather unclear how to fill the parameters for this out - if you use the powershell command  New-MsolServiceprincipal you get an AppPrincipalId and a base-64 key, and I can get the tenantId from Get-MsolCompanyInformation - but the info online suggested you're supposed to get a service identity in ACS, but I can't see how to get the AppPrincipalId in that case.

    Also I tried setting the Heirarchy registry DWORD back to 0 and deleting the manifest file and interestingly enough I still get the same error. It seems then that these aren't needed if using Cloud/Azure-based RMS?


    Monday, February 2, 2015 12:28 AM
  • Hi Dylan,

    Have you managed to resolve your authentication issue? I'm in the exact same situation right now.

    As far as I know, the manifest is not required when using APIMode.Server so I'm using the SymmetricKeyCredential, but it seems to be ignored.

    Sunday, May 24, 2015 11:42 AM