AD RMS FAQs for: Table of Contents Users / Information Workers How do I configure IP Viewer for templates locations?Can IP Viewer be used for bulk operations?What about ad hoc policy support in IP Viewer?Can AD RMS be defeated by rolling back a local clock to within a caching period?IT Professionals I got this message from Office trying to open a protected mail, what should I do? "This content could not be accessed using your current credentials. Do you want to use your Microsoft account to access this content?"Where should I post my AD RMS questions?Which blogs should I follow for AD RMS?Where can I find the overviews for AD RMS?Does AD RMS work on Windows Mobile devices?How do I control which users can access AD RMS?In MOSS, what’s the effect of setting “users must verify their credentials every 0 days”?What are the registry overrides I can use?What are the changes in IRM/RMS registry settings for Office 2010?How can I protect PDF/ZIP/RAR/other files?How can I audit user access to protected content?What’s the support story for iPhone/iPad/Blackberry?What happens if I set the RAC validity duration to zero?How can I deploy AD RMS if I can’t register the SCP?I’m trying to set up AD RMS, but the Setup Wizard can’t find my SQL Server. What’s wrong?How can I use licensing clusters for SharePoint?When are documents encrypted / decrypted when uploaded/downloaded from SharePoint?What versions of Microsoft Office are supported for AD RMS?Can I control printing of SharePoint docs on a per-doc, per-user, per-printer basis?Can I use dynamic or query-based distribution groups with AD RMS?We’re changing everyone’s e-mail address. How can I make sure they can still open previously protected content?Does Windows XP support RMS 2048-bit keys?Can I use secured storage location such as SmartCards or HSMs to store my AD RMS encryption keys at each client?Will Windows Azure AD Rights Management be offered as an on-premise hosted service within corporations who are wary of entrusting their private keys with Microsoft?Developers AD RMS SDK 2.x / File API What does it mean when you say that IPC_LI_APP_SPECIFIC_DATA doesn't work with templates?What is the rate of protection of files using the File API?What is the best way to retrieve information (previously stored key-value-pairs, etc.) from an encrypted file?Is there a way to calculate and display the effective rights of a user before a template (security group) is applied?When will SDK 2.1 and File API be released?Is it possible to add / replace protectors?How does the default language behavior work with functions that take an LCID parameter?The license buffer returned from SerializeLicense in this case appears to be a Unicode string, is that due to the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag?Is there a way to enable remote debugging on an AD RMS site?What encryption algorithm does IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMSIs there a non-programmatic way to recognize whether a file is already protected with AD RMS?Is it possible to also encrypt/decrypt, using File API Beta SDK, such files as stream data?How can we invoke all IPC methods with invisible or silent mode?AD RMS SDK 3.x (iOS, Android, Windows Store Apps) When is Mac and WP8 SDK coming?When will you support creating ad-hoc policies with RMS SDK v3?Do you protect and display video files as well in RMS SDKs?What’s the default encryption algorithm without the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag set?Will the new RMS SDKv3 support AD RMS (or will it always require Azure AD RM connectivity)?Why does the Logon screen pop up a few times with a blank screen after I correctly enter my credentials?I don’t see Ad-hoc Policy selection UI in the protection workflow. Why?How will the new SDKs work with AD RMS on-prem servers?How do get new organizational tenants to try out the SDK and sample application?I don’t see any test hierarchy discussion here in the documentation. Why?Which programming languages do you support for Windows RT application development?After I enter proper credentials, I receive the "ADRMS 3.0 SDK Error" message. What might be the reason?I'm trying to protect or consume content for the first time on the device, and I immediately received the "ADRMS 3.0 SDK Error" message. What might be the reason?I included the support package in my Android Java project, and my build failed. Why?How will the new APIs support application validation?
IPViewer.exe depends upon AD RMS 2.1 to load templates and connect to an RMS server. With the release of AD RMS 2.0, the registries for configuring which templates to load and which RMS server to use changed. Please take a look at the AD RMS Client 2.0 Settings (http://technet.microsoft.com/library/jj159267(v=ws.10).aspx) for more information.
IP Viewer is meant to be a user-driven feature and thus does not provide automation or scripting support. RMS Bulk Protection tool still works with MSDRM and because of this, won't work with O365. The Bulk Protection Tool will be the primary feature driving automated protection with O365. We are undertaking the task of updating Bulk Protection Tool with File API (adding O365 support) in the months to come
Ad hoc policies are not supported currently. Please only open content protected using templates.
Applications built on MSDRM or MSIPC (e.g., Office2007/2010/15, etc) all have clock rollback protection built in. Simply setting the clock backwards will be detected and you’ll be forced to hit the RMS server.
Close Office and run this command: rd /q /s "%LOCALAPPDATA%\Microsoft\MSIPC"
If you need an answer that is not covered on this page or linked to from this page, you will probably get it quickest through search.
However, if you cannot find the answer, you can post your rights management services questions to the Rights Management Service (http://social.technet.microsoft.com/Forums/en-US/rms/threads) forum. Please, be sure to search the forum before posting, to see if that question has already been answered in another thread. If you find that you've got a commonly asked question and answer, please, add it to this article.
Yes, see the How Do I Use AD RMS in Windows Mobile. Also look to the new AD RMS SDK 3.x release information in the developer section below.
Controlling who can use access AD RMS within forests where it has been deployed can be done through two different and non-mutually exclusive approaches:
Configuring clients to disable IRM UI elements in Office.
In Office 2003 and later you can set the HKCU\Software\Microsoft\Office\X.0\Common\DRM\Disable DWORD registry value to 1 to eliminate all AD RMS integration features in Office (the X must be replaced by the Office version. For example, "11" being Office 2003, "12" for Office 2007 and "14" for Office 2010). Users with this value set will not be able to protect new content nor access protected content in any Office applications. In Office 2007 and later you can alternatively use the HKCU\Software\Microsoft\Office\X.0\Common\DRM\DisableCreation DWORD value set to 1 to disable the menu options and ribbon buttons that allow users to protect messages, while retaining the ability to consume, modify and reply to protected content as allowed by the document’s policy.
Note Keep in mind that if using a 32 bit version of Office on a 64 bit operating system you will need to put the aforementioned registry values under the HKCU\Software\WoW6432node registry key.
Other RMS-enabled applications might provide similar capabilities. It is recommended to deploy these settings to the clients through GPO by creating groups for RMS-enabled and non-RMS enabled users and targeting GPOs with the appropriate values to the different users.
Blocking access to AD RMS services at the server.
By applying Access Control Lists to the Certification and Licensing URLs in the AD RMS servers you can block users from obtaining Licenses and Rights Account Certificates and thus from participating in the AD RMS environment. This option will not make the UI elements in Office disappear, and will cause users to see prompts for authentication, so whenever possible the other solution should be used.
It is not recommended to control who can access AD RMS by limiting deployment of the RMS client since this will result in poor user experience and potentially help-desk calls when the users manually install the client as instructed by the Office wizards.
It has the effect of disabling the need to verify credentials, making licenses valid indefinitely (or for as long as the user���s RAC and the content are valid). It does not set the duration of the licenses to 0 days.
A list of valid registry overrides for the RMS client, Office applications, RMA and the XPS client can be accessed at AD RMS Settings (http://technet.microsoft.com/en-us/library/dd941629.aspx).
For Office 2010, the AD RMS registry settings remain consistent with settings documented and used in earlier versions of AD RMS and Microsoft Office. The location in the Windows registry, however, has been changed and updated to a new location. Office registry settings for IRM in Office 2010 need to be configured under the HKCU\Software\Microsoft\Office\14.0\Common\DRM\ registry key. 32 bit versions of Office running on a 64 bit Operating System need the registry values to be put under HKCU\Software\WoW6432Node\Microsoft\Office\X.0\Common\DRM\ key.
For Adobe PDF formatted documents, several partners such as GigaTrust (http://www.gigatrust.com/), Secure Islands (http://www.secureislands.com/), and Foxit Software (http://www.foxitsoftware.com/rms/) offer security suite products that implement AD RMS support for IRM on PDF files. For more information on other file formats , see AD RMS Supported Files (http://blogs.msdn.com/b/rms/archive/2010/03/12/ad-rms-supported-files.aspx).
AD RMS logs information in the AD RMS logging database every time a license is acquired but since document protection is performed offline there are no references in the database to document names or other identifiers created when a document is protected. By extracting the GUID of the document of interest (it can be seen as clear text when opening the document in a text editor) and looking it in the logging database, you can find out which users have acquired licenses to consume the document. The document’s GUID can be found within the <WORK><OBJECT type="Microsoft Office Document"> <ID type="MS-GUID"> in the file. The GUID has to be looked up in the logging tables described in AD RMS Logging Database Tables (http://technet.microsoft.com/en-us/library/dd772686(WS.10).aspx).
<WORK><OBJECT type="Microsoft Office Document"> <ID type="MS-GUID">
Our AD RMS partners provide solutions for accessing protected content on third party devices. GigaTrust in particular provides solutions for accessing protected email and documents on iPhone, iPad and BlackBerry devices.
By default, a standard RAC is valid for 365 days and a temporary RAC is valid for 15 minutes. After the end of these periods, users must acquire new certificates when they attempt to acquire publishing or use licenses. The manner in which the RAC is renewed depends on the AD RMS-enabled application. In some cases, it might be transparent; in others, the user might need to actively submit a request.
In a default AD RMS configuration, the standard RAC validity period would be in effect for a 365 day lifetime. This means RAC files could be cached on user computers for up to a year. (RAC files are stored in %userprofile%\Local Settings\Application Data\Microsoft\DRM folder.) By using the AD RMS console to set a duration of zero days for the standard RAC validity period, standard caching of RAC files is effectively blocked. This necessitates maintaining online access to the AD RMS server as temporary RAC files would only remain valid for 15 minutes. This forces users computers to ask the AD RMS server for new licenses the next time they need to encrypt/decrypt content if it was not within the window where the temporary RAC was valid and in effect. Such a setting could be effective for installations where users are accessing AD RMS-enabled content from public computers such as airport kiosks or Internet cafes.
For more information, see Specify the Rights Account Certificate Validity Duration (http://technet.microsoft.com/en-us/library/cc732630.aspx).
You can configure clients to activate using a specific AD RMS cluster URLs by pre-provisioning them through registry values or GPOs. The registry values to use to configure RMS clients are documented at AD RMS Settings (http://technet.microsoft.com/en-us/library/dd941629.aspx).
There are a couple of possible reasons as to why AD RMS Setup is not finding SQL Server. One possiblity is that you might need to be specifying a non-standard TCP port for AD RMS to locate asnd communicate with the SQL server computer. For more information, see Specifying a nonstandard SQL port when installing AD RMS (http://blogs.msdn.com/b/rms/archive/2010/12/01/specifying-a-nonstandard-sql-port-when-installing-ad-rms.aspx).
Another possible reason for the inability to access SQL Server could be that the AD RMS service lacks Sysadmin rights on the AD RMS configuration database. When AD RMS is installed, an AD RMS configuration database is created on the database server. This database holds the configuration data for the AD RMS cluster. If the configuration database cannot be created during installation, AD RMS will not install. In order to create this database on the database server the user account that’s being used to install AD RMS needs to have permissions to create databases on the database server, which requires the Sysadmin role to be granted to this account on SQL Server. These rights can be removed after all AD RMS nodes are installed. For more information on these requirements see Event ID 193 — AD RMS Cluster Installation (http://technet.microsoft.com/en-us/library/cc726159(WS.10).aspx).
If granting these rights is not possible due to the database server being shared with other sensitive workloads, it is possible to configure AD RMS to use another temporary database and then backup and restore these databases to the final server without requiring Sysadmin rights to be granted.
Also, if a CName or other DNS alias is used to refer to the database server from AD RMS (as is highly recommended) the HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableStrictNameChecking DWORD registry value needs to be set to 1 on the database server in order for this system to recognize being invoked with the DNS alias.
If you want to use a licensing-only cluster to provide licenses to SharePoint you have to indicate SharePoint to use the specific AD RMS licensing URL in the SharePoint configuration UI.
To configure the AD RMS licensing URL in Microsoft Office SharePoint Server
When a SharePoint library is protected with AD RMS, documents will be protected with an ad-hoc policy each time a document is downloaded by a user. The policy will grant rights to the user downloading the document (and only to that user) based on the rights the user has on the SharePoint library. When a document that has been protected by SharePoint when downloaded is uploaded back to the library SharePoint will remove protection from the document before storage. For more information on how AD RMS and Microsoft Office SharePoint Server integrate together, you can review the diagram and IRM permissions table in Integrating AD RMS and SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/ee259515(WS.10).aspx) on the TechNet Library site.
For more information on the specific support for AD RMS within various releases of Microsoft Office, see AD RMS and Microsoft Office Deployment Considerations (http://technet.microsoft.com/en-us/library/dd772697(WS.10).aspx) on the TechNet Library site.
Currently, there is no native support in AD RMS for controlling management of printing rights at these levels for IRM solutions that use Microsoft Office SharePoint Server. It is possible other third party AD RMS products and solutions might address some of these requirements.
Yes, dynamic or query-based distribution groups are supported with AD RMS as long as they are mail-enabled and universal. Although Dynamic DLs are supported, ADRMS only supports one level of nesting, Dynamic DL => User. It does not support the following scenarios:
You need to add each user’s original email address to the user's proxyAddresses attribute in Active Directory. AD RMS will continue to license content to users whose proxyAddresses attribute contains an address that matches a subject of rights in the document’s policy. For more information on updating the proxyAddresses attribute using Windows Script, see How Can I Add an Email Address to the proxyAddresses attribute? (http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/10/hey-scripting-guy-how-can-i-add-an-email-address-to-the-proxyaddresses-attribute.aspx) on the Scripting Guys blog site.
No, you will have to upgrade to a more recent operating system (e.g. Windows Vista, Windows 7) to get 2048-bit key support.
By design, AD RMS enables secure storage and management of its encryption keys and certificates using either a certificate service provider (CSP) or a hardware service module (HSM) installed at the server. To provide sufficient security for the enterprise while removing the need for user-level key management, this functionality was not extended to the client. With current AD RMS secure design, end users do not need to understand the details or implications of secure cryptographic storage and key management and therefore, should not be involved with choosing the appropriate location for keys.
Windows Azure AD Rights Management is a variant of Active Directory Rights Management Services (AD RMS), which is Microsoft's on-premise offering. The multi-tenanted, scale-out, elastic-computing nature of Windows Azure AD Rights Management does not make sense with on-premise deployment. e.g.: Deploying and running the smallest scale unit of the Windows Azure AD Rights Management service would make AD RMS installation seem trivial by comparison.
In my scenario it worked fine: IpcCreateLicenseFromTemplateId(), IpcSetLicenseProperty() and IpcfEncryptFile(license created just before).
Templates are designed so that they work "by reference".
For example:
admin configures a template "A" = { user1: VIEW, user2: FULL }
you protect content to template "A"
admin removes user1 from template "A" = { user2: FULL}
the content you protected in step #2 is automatically updated with the new policy
When you use IPC_LI_APP_SPECIFIC_DATA, you're essentially creating a "from scratch" policy that won't be updated dynamically. Protection will succeed, but you've lost the template backing your policy (i.e., step #4 won’t work)
Microsoft's IP Team has yet to benchmark the rate of file protection but much of the codepath used by the File API is already in the highly scrutinized Exchange transport pipeline (which is used for protecting Office Documents).
If you're storing non-RMS data with the file, you're probably best off creating your own metadata and not using our APIs. If you're storing data that applies on a per-license basis (i.e., data that's part of the RMS policy), then you've got two options:
NEVER try and parse the XrML in your application. We'll break you every time we change the license format.
Currently we handle group expansion on the RMS server side. It's a very difficult algorithm to get right, and we've got a *lot* of code for it. I would advise strenuously against trying to duplicate this code in your client. Consider this approach; effect a dummy protect followed by an IpcAccessCheck() in order to calculate the users rights. This lets you offload all of this complicated logic to the server. It won't be speedy, but it won't be any slower than doing the group expansion yourself. You'll need to set the NO_PERSIST flags when you're serializing the license. If you're using the FileAPI, the next drop will have NO_PERSIST flags for IpcfEncryptFile as well.
The current plan is to release by early April 2013.
It is not possible to add/remove / replace protectors with File API.
Use 0 for the default locale. In this case, Active Directory Rights Management Services Client 2.0 looks up names and descriptions in the following sequence and retrieves the first available one: 1. User preferred LCID. 2. System locale LCID. 3. The first available language specified in the Rights Management Server (RMS) template. If no name and description can be retrieved, an error is returned. There can be only one name and description for a specific LCID.
The AD RMS 2.0 SDK normally uses UTF-8 for the serialized licenses it returns to reduce the increase of the overall file size that is generated. Since MSDRM only understands Unicode licenses, AD RMS returns Unicode serialized licenses when this flag is present.
The AD RMS server does not allow remote debugging. A few options that you have are the following: go through the reporting logs. enable tracing on the AD RMS server, which provides detailed logs. enable debugging through Checked builds. Of these options, enabling tracing is probably the most powerful and typically your best option. For more information, see AD RMS Troubleshooting: server-side tracing
Currently, the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag specifically refers to the cipher mode used as the symmetric content key is applied to the content. Using this flag downgrades the cipher mode from the default of CBC4K to ECB mode. Over time, however, this flag may also refer to any other changes needed to maintain MSDRM compatibility.
There’s no direct way of knowing that a file has been encrypted by AD RMS. Using the IpcfIsFileEncrypted() method of the SDK is the quickest way to do so.
Stream-based API support has been a consistent ask. It is not available for the current release but we are looking at this.
The easiest way to solve this is by using server (IPC_API_MODE_SERVER) mode. When this mode is used, it ensures that we use do not show any privacy prompts. For more information,
API Mode Values in the AD RMS SDK 2.1 docs.
It is in the works. You'll hear from us in the next couple of months
We are in the process of studying this. No firm dates yet but the feature is in consideration
We don't support that yet. At present we do support enabling video files to be wrapped into Pfiles.
The default encryption algorithm without the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag set is CBC4K.
At this time it requires Azure AD RM connectivity. We've made this bet given collaboration needs and their reliance on a cloud identity broker.
This is a known issue that will be solved in one of the future releases.
This is being worked upon for a later release.
The new SDKs work only with Azure AD RM. As you learnt in the webinar, we will enable the AD RMS-AADRM hybrid scenarios on the server side.
To request credentials for Azure AD RM test organizations, please email rmcstbeta@microsoft.com.
There’s no test hierarchy concept with the new RMS SDKs. You will always work with the production hierarchy.
C# for now. We are investigating supporting other programming languages for later milestones.
Your device might have moved between mobile and wireless networks and its IP address has changed. You might have tried to consume content published by a user from a tenant that is currently unsupported.
You might have skipped steps required to install certifications on your device. For installation instructions, see the README located in the cer directory in the installation package.
You might have tried to consume content published by a user from a tenant that is currently unsupported.
Android support package is already included as part of the ADRMS 3.0 SDK and should not be referenced again from the development project.
The details remain to be defined but Microsoft's Information Protection (IP) team has acknolwedged that the operating environments that the new APIs are deisgned to be run in pose some new challenges. The concept that Microsoft's IP team is now tracking and conswidering is similar to how modern App stores support "AppIDs".
Richard Mueller edited Revision 94. Comment: Fixed zeros in <a name> tags in headings in HTML so TOC works properly
Richard Mueller edited Revision 37. Comment: Fixed zeros in <a name> tags in headings in HTML. Removed blank heading lines in HTML. Added tag
Kemckinn edited Revision 35. Comment: Added additional information regarding Dynamic DL nesting
Fernando Lugão Veltem edited Revision 34. Comment: added tags
Ed Price - MSFT edited Revision 33. Comment: Space formatting and tags
Kurt L Hudson edited Revision 31. Comment: Updated latest FAQ to hopefully have it show up in the TOC
Kurt L Hudson edited Revision 30. Comment: Inserting TOC again to see if that fixes the issue
Kurt L Hudson edited Revision 29. Comment: TOC removal - going to try adding it back
Kurt L Hudson edited Revision 28. Comment: still trying to fix TOC and format
Kurt L Hudson edited Revision 27. Comment: still trying to fix TOC