locked
AD RMS Prelicensing Agent on Exchange side. Pure prelicensing testing. RRS feed

  • Question

  • Hello everybody!

    My SCOM server reports about prelicensing issue, and it's time for me to understand what is this actually. Now it is clear that Exchange server acquire Use License on behalf of end-user at the middle of delivering way. So, end-user don't really need anymore to contact RMS server to acquire Use Licence, it was ebeded to email. Also clear that this feature is active as soon as I activated InternalLicensing. 

    I did Test-IRMConfiguration -Sender xxxx -Recipient xxxx and commandlet said that prelicense succesfully was acquired from licensing servers for Recipient. So, from servers point of view everything works perfect. 

    Correct me if I wrong, but as I understood, prelicensing feature allows repicient to open IRM protected content (email and attachment) even being offline. Non-autoritative Prove . For my understanding "offline" means that end-user (recipient) has no access to URLs of RMS servers. It is actually easily done in test environment by modifying hosts file and loop RMS URLs to 127.0.0.1. 

    So, I sent from User1 to User2 email with attachment and protected it with custom RMS template. 

    User2 has no access to RMS server (RMS activation was done before, CLC, RAC - everything in a folder). User2 opens Outlook, and when it tries to open protected email, system says that it require to reach RMS server to acquire Use License to open protected content. Hey, but what about prelicensing? 

    User1 sends to User2 email with attachment and ptorects them with "Do not forward" template. User2 can open content even being offline. To tell the truth this mystery case with "Do not forward" template is out of scope of my interest, since this template is not going to be a part of production deployment. 

    What do I do wrong? Does anybody test RMS pure prelicensing feature? 

    Thanks. 

    Tuesday, November 4, 2014 4:45 PM

All replies

  • Your assessment of how it should work is correct.

    To really see whats happing we would have to do a client side trace.

    Here are the instructions:
     · Close all Office applications
     · Create the following registry keys
      HKLM\Software\Microsoft\MSDRM, DWORD “Trace” set to “1”
      HKLM\Software\Microsoft\MSIPC, DWORD “Trace” set to “1”
      HKLM\Software\Wow6432Node\Microsoft\MSDRM, DWORD “Trace” set to “1”
      HKLM\Software\Wow6432Node\Microsoft\MSIPC, DWORD “Trace” set to “1”
      
     · Download Debug View from here (sysInternals)
      ○ http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
     · Launch Debug View as Administrator
     · Under Capture, verify Capture Win32 and Capture Global Win32 are checked.
     · Under the File menu choose Log To File
     · Reproduce the problem

    Wednesday, November 12, 2014 9:10 PM
  • Hi,

    I have just tested and confirmed following scenario:

    From inside network I have sent several messages from user1 to another user2. On my Windows Phone I have configured Exchange account for user2 (Exchange is published to Internet). RMS server is not published to the Internet, so I can only rely on Exchange prelicesing. The outcome is that user2 got all messages and was able to view the content of email, which means that Exchange took care of prelicensing. However during opening any of test attachements (with custom template and with do not froward), attachements were calling for a connection to RMS server... 


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Friday, November 14, 2014 9:44 PM
  • Hi Andrzej. Thanks that you take care about my case. 

    Actually I did testing only for emails without attachment, I wanted to decrease involved components in my testing. 

    I'd like to admit that your results is so interesting. As I said in original post that I started investigating this case because of SCOM's reports which say: 

    "

    Alert Rule:    KHI: Transport User PreLicensing and/or Server Licensing Impacted - More than 5% of IRM messages failed prelicensing or server licensing in the last 30 minutes - Red(>5).

    ObjectName: MSExchange Prelicensing Agent

    CounterName: Over 5% of messages failed prelicensing or server licensing in last 30 minutes

    Value: 1

    Knowledge: http://go.microsoft.com/fwlink/?LinkID=67336&id=D571B10E-235E-4919-91AD-4AB9D8B8493C

    "

    According to your results I am really interest: 

    Q1: How does Exchange process messages with attachments: is it OK that you can't open attachment and can open message body? Is it expected result by design? 

    Q2: Why I can't reproduce this case in my environment? I see that RMS (root) reacts every time when IRM protected email crosses Exchange. But I see successfull prelicensing results only in case of using "Don't forward" template 


    Q3: If email's attachment isn't prelicensed by design (not confirmed), then probably "5% failed prelicensing" report makes sense and shows that attachment wasn't prelicensed. But why this case is monitored by SCOM (by sealed SCOM MP)? 

    Q4: This topic slowly goes to Exchange area as I see. Is it possible to share this topic with Exchange team as well?

    Thanks, Andrzej and Eddies. 


    Profile Signature?



    • Edited by zubkoff.s Monday, November 17, 2014 9:57 AM New picture uploaded
    Monday, November 17, 2014 9:54 AM
  • Hi,

    Enrique Saggese is describing prelicensing in "Accessing protected content offline and content pre-licensing" here: http://blogs.technet.com/b/information_protection/archive/2011/06/19/accessing-protected-content-offline-and-content-pre-licensing.aspx

    It is said "(...) 5) When the email is delivered to the user, the user will be able to double click on the email and have it open without having to acquire a license. The same will be true for any attachments that were protected with the email. (...)". What I assume it means that you can view your protected attachements in Web-Ready Document Viewing or simply in Web Browser (if your RMS template and Exchange is configured to allow viewieng in web browser)

    Maybe you can try to reenable RMS in Exchange console:

    • Set-IRMConfiguration –InternalLicensingEnabled $false
    • Set-IRMConfiguration –InternalLicensingEnabled $true

    And BTW can you check in your Exchange console

    • If Test-IRMConfiguration –Sender testaccount@yourdomain.com command passess with no warnings/errrors
    • If you can see all your custom templates by running Get-RMSTemplate | fl


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Monday, November 17, 2014 4:38 PM
  • Hi,

    I have some progress in my testing: prelicensing works for message body and attachment(s).

    But here I'd like to admit several importan things: 

    1. Prelicensing works only in case if Author uses template with unchecked box "Require a new license every time content is consumed (disable client-side caching)"

    2. Prelicensing works only if "Don't Forward" template in use, or any custom template from Root Cluster (but not from Licensing Only cluster). 

    3. I couldn't reproduce your case when you can open message body, but can't open protected attachment. 

    ---

    Answers: 

    1. Get-RMSTemplate commandlet brings template from Root Cluster only (+Don't Forward), but nothint from Licensing only cluster. Do you have the same results? Looks like Exchange knows nothing about Licensing Only cluster. Is it true, it is by design?

    2. Test-IRMConfiguration works good. I set -Sender and -Recipient parametrs. 

    Acquiring Prelicense for '<recipient@>' from RMS Licensing Uri (https://<rms_root_cluster_URL>/_wmcs/licensing) ...

        - PASS: Prelicense acquired.

    OVERALL RESULT: PASS

    As you see RMS Root cluster was in use during the test , but nothing about licensing only cluster.

    What happens when Sender sends email which protected within template from  Licensing Only cluster? Prelicensing Agent MUST reach Licensing only cluster URL to obtain valid EUL. The test above doesn't cover this case. Test-IRMconfiguration confirms actually the same what I had got within tests: prelicensing works in case of using template from Root Cluster. 

    Do I need to do some extra tricks to force Exchange "see" licensing only cluster (templates)?

    So, does prelicensing work for custom templates from Licensing Only cluster? Should these templates from Licensing only cluster be enumerated by using Get-RMStemplate? 


    Profile Signature?

    Tuesday, November 18, 2014 1:31 PM
  • Hi again,

    Thanks for sharing your discoveries!

    These are good questions, but to bo honest, I have never tried that with Licensing Only Cluster. Unfortunately, currently I don't have much time to tshoot this more deeply :(

    If you find any solution or answer, please share...



    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Thursday, November 20, 2014 5:58 PM