Active Directory Rights Management Services - AD RMS

Templates, Distribution, and Why You Should Care

One of the great features of Active Directory Rights Management Services (AD RMS) is rights-policy templates. A template is something that an AD RMS administrator designs that provides a set of users, and/or groups, with a predefined set of rights. These templates are then used by AD RMS-enabled applications to enforce policies. You can read much more about AD RMS templates on TechNet here.

One of the big problems that IT administrators encounter with rights-policy templates is how to distribute them to end users. If the end user does not have the template, they can’t use the predefined policies. In previous versions of AD RMS (Windows Rights Management Services v1.0 SPx), Group Policy objects (GPO) were used as the primary means for template distribution. The AD RMS administrator would post the template .xml files to a UNC share and use GPO to push them to clients. There was no built-in way for the client to fetch templates.

Another problem with templates pertained to AD RMS-enabled applications and their developers. Applications that utilize templates typically allow the user to select which template they’d like to use to protect their content. This poses a problem for the application because there is no centralized location where the RM client stores templates, and no built-in way to discover them programmatically. The application was responsible for locating them in its own way (usually by way of registry key overrides). This resulted in different applications that would look for templates in different locations. This was problematic, to say the least. 

Enter Template Distribution. So what is template distribution and, ultimately, why should you care? Starting with Windows Vista Service Pack 1, the AD RMS client is able to fetch templates (this requires the AD RMS server to be at least Windows Server 2008) and store them in a centralized location. How? Through scheduled tasks and API’s, that’s how.

• Scheduled Tasks - There are two scheduled tasks: one manual, and one automated. The automated task runs silently in the background and suppresses authentication prompts (choosing to fail instead). The manual task is the same as the automated task, except that it does not suppress authentication prompts (as opposed to fail silently). When the task executes, it first makes a request to the server to get its template information. From the information returned, the client can determine that it a) has the correct templates and b) has the most up-to-date version of them. If either of these conditions are not met, the client acquires (or re-acquires) the templates from the server.
• Client API - In addition to scheduled tasks, the AD RMS client provides developers with an API that can be used to discover and acquire templates for their application. You can read more about that here. 

Note: It is important to point out that archived templates are not distributed to clients. This process applies only to distributed templates, hence the name.

Sounds great, right? But I’m sure you have some questions. So here’s an FAQ:

Q. Why are there two tasks, automated and manual?
A. There are two tasks because the end-user shouldn’t ever have to see a random credential UI for something that runs in the background and, even worse, for something they have no clue what it’s for. The automated task is designed to fail in this case, for this specific reason. The manual task can be invoked at any time by the user.
Q. How often will the automated task run once it’s enabled?
A. Once the task is enabled, the client will fetch templates (assuming it has never done this before). Afterwards, it creates the following registry key and populates it with the current time: HKCU\Software\Microsoft\MSDRM\TemplateManagement\lastUpdatedTime. Moving forward, the task checks the current time against the value in this registry key. If the date is off by 30 days or more, the client attempts to fetch templates again and the lastUpdatedTime is refreshed with the new date.
Q. So the default period is 30 days – can I change it?
A. Yes, this can be configured by setting the following registry key: HKCU\Software\Microsoft\MSDRM\TemplateManagement\updateFrequency (DWORD).
Q. Won’t all of the clients make requests at the same time and start a DoS attack?
A. No. When the client determines that it needs to fetch new templates, it will pick a random time within the next hour. This is to stagger the requests for enabling the scheduled task broadly in a large organization.
Q. Are the templates contained in TPD’s distributed?
A. No, templates contained in trusted publishing domains (TPD) are not distributed.
Q. Why aren’t my archived templates being distributed?
A. Wasn’t this answered already? Alright, here goes again. No, only distributed templates will be distributed to clients via template distribution.
Q. Is the automated task enabled out-of-the-box?
A. No, the automated task is not enabled when Windows is installed, since the majority of Windows users are not in an enterprise. 
Q. Where does the client store the templates?
A. The client stores templates here: %userprofile%\AppData\Local\Microsoft\DRM\templates.
Q. Is this functionality available on Windows XP, Windows Server 2003, or Windows Vista RTM?
A. No, this functionality is provided only on Vista SP1 and above.
Q. Is this functionality available for Windows Rights Management Services v1.0 SPx on Windows Server 2003?
A. No, this functionality is available only on Windows Server 2008 and above.

And there you have it – template distribution made easy.

Jody Hendrix, Lead Software Design Engineer in Test

New Content: AD RMS and Active Directory Objects

The AD RMS team has recently published new content that summarizes the required and optional AD DS user and computer objects for an AD RMS implementation.

The following abstract provides some details:
Microsoft Active Directory Domain Services (AD DS) is a Windows-based directory service. AD DS stores information about objects on a network and makes this information available to users and network administrators. For example, these objects can include user and computer accounts. AD DS is a requirement for installing and implementing AD RMS.

New Content: AD RMS Performance and Logging Best Practices

The AD RMS team has recently published new content that details best practices for properly scaling and managing your AD RMS infrastructure.

The following abstract details the contents of this documentation:
Here we describe the scaling scheme for an AD RMS infrastructure, we define sizing parameters for the server roles in an AD RMS infrastructure, and we describe logging characteristics of AD RMS that enable adequate performance monitoring. We also present real-world data regarding Microsoft’s own production implementation of AD RMS in order to enable you to perform preliminary sizing estimates for your own infrastructure.

We hope these guidelines prove to be helpful to you as you configure your AD RMS environment.

New Content: AD RMS Client Deployment and Usage Considerations

The AD RMS team has recently published new documentation that discuss best practices for managing your AD RMS client deployment.

The following abstract provides some details about the content:
Active Directory Rights Management Services (AD RMS) is an information protection technology that works with enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, modify, print, forward, or take other actions on the information.

AD RMS includes server-side technologies as well as client-side technologies. On the client, an RMS client must be in place, RMS enabled applications must be deployed and information protection policies and templates must be delivered.

In this paper we describe the best practices for safely and efficiently getting all those components in place on the client, as well as options for configuring the client in different scenarios.

New Content: Information-Rights-Management Architecture and Design Guidance for AD RMS Application Developers

Bhushan Nene and Trent Swanson, architects on our Global Partner team, recently published a white paper that can give you insight into building applications that use AD RMS information rights management technology.

The following abstract details the contents of the document:
This white paper provides architecture and design guidance for building an Information Rights Management (IRM)-aware application using Microsoft Active Directory Rights Management Services (AD RMS).  It presents a number of application patterns as well as best practices that you can use for developing IRM-aware applications. It covers basic consume and publish scenarios as well as complex federated scenarios that make use of Active Directory Federation Services (AD FS). It makes extensive reference to the IRM Application Patterns Reference Implementation available for download at the MSDN Code Gallery.

We hope you find it to be helpful.

Meet the Team: Peter Gilson

What is your work background?
I have been working in IT for 22 years now. I have worked for manufacturing companies and financial institutions; software houses and consulting shops; 100 year old companies and start-ups. I’ve spent most of my career programming in some language or another, either attempting to get systems working or trying to break them. After writing this short summary I feel nicely rounded, but also very old!

How did you come to be a part of the AD RMS team? How long have you worked with the team?
I have been part of the AD RMS team since it formed in 2001. Before working on RMS I worked on various other projects at Microsoft including eBooks and MSN.

What is your role?
I work on the team that tests how AD RMS features function in various scenarios. We work as advocates for customers during design discussions with developers and program managers. Then we create tools that simulate how real customers will make use of new features when they ship. We spend a lot of our time pushing the AD RMS product to its limits, both from performance and scenario perspectives. We also get to play hacker, trying to break into pre-release AD RMS bits before the real bad guys get a chance.

If you worked on previous versions of AD RMS, what did you work on?
I have worked on lots of different aspects of the AD RMS product, but I’ve spent most of my time working on the server-side components. The last major release I worked on was an update to the version of RMS that runs in the cloud and uses Windows Live ID as an identity provider.

What is your favorite aspect of the technology?
One of my favorite aspects of AD RMS Server is often overlooked: the logging database. This database got a major overhaul in version 2 of RMS when it shipped with Windows Server 2008. The database now has a highly normalized schema, which makes it both more efficient and easier to query.

It’s probably a reflection on the quality of my social life, but I really enjoy an evening of digging into a fully populated AD RMS logging database! It’s amazing how much one can learn by slicing and dicing this data in different ways. For example, here at Microsoft we spotted a defect in an AD RMS enabled application by observing an unusual pattern of user transactions. This defect was almost imperceptible by end users, but had a big impact on the server deployment (in case you are wondering, the bug has since been fixed).  

What’s your favorite breakfast cereal?  ;)
Kellogg's Power Puff Girls Cereal: Rice Krispies featuring "power-packed clusters that fizz in your mouth" (pop rocks). Sadly discontinued.

Any last words?
Live long and prosper.

Group Expansion for Federated Users

[Note - This post assumes the reader is familiar with terms such as issuance license, rights-policy templates, and AD RMS trust policies (federated trust).  In summary, an issuance license represents the usage policy for a piece of content and contains a list of authorized users and usage rights assigned to each user. Rights-policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. Federated trust refers to using Active Directory Federation Services to establish trust between two forests.

This blog post references Windows Server 2008 R2. The release candidate for Windows Server 2008 R2 can be downloaded at www.microsoft.com. Please see the AD RMS with AD FS Identity Federation Step-by-Step Guide to learn how to configure an AD RMS server to work with Active Directory Federation Services (ADFS).]

AD RMS in Windows Server 2008 R2 can support groups that contain external, federated users. In Windows Server 2008, federated users had to be individually named in the issuance license or individually added to an AD RMS rights-policy template. Now, because group expansion for federated users is supported, it is possible to add federated users to a group and create protected content specifically for the group. This can be accomplished by creating a contact object for the federated users in Active Directory, in the forest where the AD RMS server is located, and adding that contact object to the group where you want to include the federated users.

Here’s an example:
Contoso has AD RMS and a group called TopSecretProj@Contoso.com. Contoso has decided to collaborate with Fabrikam. Usr01@Fabrikam.com must access all content that is shared with the TopSecretProj@Contoso.com group.  The IT administrator in Contoso can create a contact object for Usr01@Fabrikam.com in Active Directory and add the new contact object as a member of TopSecretProj@Contoso.com. 
As long as you have identity federation support configured and enabled between the two companies, Usr01@Fabrikam.com has access to all the content published for TopSecretProj@Contoso.com.

Sunitha Samuel, Lead Software Design Engineer in Test

Demystifying “Owner”

[Note: This post assumes the reader is already familiar with terms such as issuance license, use-license, rights account certificate (RAC) and client licensor certificate (CLC). In summary, an issuance license represents the usage policy for a piece of content and contains a list of authorized users and usage rights assigned to the user. A use-license enables end-users to encrypt or decrypt RMS-protected content. It is typically issued by the RMS Server, given the issuance license and RAC corresponding to the end-user. The use-license is issued to the user identified by the RAC, and contains the symmetric key used to encrypt or decrypt content, as well as all the usage rights granted to the user in the issuance license. A CLC is used for creating protected content offline, without requiring a connection to the RMS server.]

The term Owner is overloaded in the RMS Client API and is used in a lot of different contexts, such as to specify the OWNER right, an OWNER license, or an OWNER user. This post will attempt to clarify the various contexts in which the term Owner is used.

OWNER Right

This is the simplest and easiest to understand usage of the word Owner. The OWNER right is used to indicate that the user granted this right has full control (i.e. implies all possible rights even if they are not explicitly granted) on the content that the issuance license is associated with.

For example, if a user is explicitly granted only the OWNER right in the issuance license, the call to DRMCreateBoundLicense with wszRequestedRights in DRMBOUNDLICENSEPARAMS set to EDIT (or PRINT, or VIEW, and so on) will return success because the platform will detect that the user is granted the OWNER right. 

OWNER License

Offline publishing (enabled by passing in the DRM_SIGN_OFFLINE flag in DRMGetSignedIssuanceLicense) lets a user encrypt or decrypt content without requiring a connection to the RMS server. This is useful not just for publishing while offline, but also when online, as a performance optimization, to avoid the cost of going over the network. An OWNER license is a special use-license that is created by the RMS client to enable offline publishing. It gives the end-user performing the publishing operation (i.e. the user to which the CLC, passed in the wszClientLicensorCertificate parameter, belongs to) a use-license containing the OWNER right, with no expiration. This enables the end-user to use the OWNER license to encrypt the document, as well as access the encrypted document without requiring a connection to the RMS server.

An OWNER license is created even if the issuance license does not explicitly grant the user any rights, making this useful in scenarios where the user account applying RMS protection uses an RMS template that does not grant the user account any rights. For example, a data scanning and protection service that runs as Local System can use the OWNER license to apply protection to sensitive documents using RMS templates that grant access to only end-users.

Note that this capability should be used carefully. Since a highly privileged account can impersonate the built-in accounts, for security reasons, you may not want that user account to have any rights to the document once it is finished publishing. In such a scenario, the OWNER license should not be persisted to disk, should be used only in memory and discarded when encrypting the document is completed. This can be done by using the DRM_OWNER_LICENSE_NOPERSIST flag at the time of signing the issuance license, which ensures that the owner license is never written to disk. The in-memory copy of the OWNER license can always be retrieved using the DRMGetOwnerLicense API, irrespective of whether the DRM_OWNER_LICENSE_NOPERSIST flag is specified.

OWNER User

This is the least understood usage of OWNER. It is referenced in two places in the documentation: in the description of the “Internal” user id type in DRMCreateUser and as the hOwner parameter in DRMCreateIssuanceLicense. A user specified in the issuance license is typically identified by a user ID, such as an email address or SID, that specifies which user should get the assigned rights when a use-license is requested. An OWNER user is a special type of user whose user ID is not explicitly stated in the list of users and rights in the issuance license, but is obtained from the user set, as the hOwner parameter, when the issuance license is created.

This is useful for creating issuance licenses from templates in scenarios where an enterprise wants the same template applied to all sensitive documents, but wants a different owner for each document, depending on the author. Specifically, consider an example with two documents: one authored by user A, and another authored by user B. Both need to be protected by the same “Company Confidential Read Only” template, which grants all users listed in the template Read Only access. It is important that the document authors have full access to their content, but not to each other’s content, so they cannot both be listed with the OWNER right in the template. Also, it is not recommended to modify rights information in an issuance license created from a template, so the user corresponding to the document author should not be explicitly added to the issuance license with the OWNER right.

This problem in this scenario can be solved by enabling the following setting while creating the template on the server: “Grant owner (author) full control right with no expiration”, which translates to the following snippet in the resulting template (the OWNER right is granted to a user of type “Internal” and id “Owner”):

         <RIGHTSGROUP name="Main-Rights">
          <RIGHTSLIST>
            <RIGHT name="OWNER">
              <CONDITIONLIST>
                <ACCESS>
                  <PRINCIPAL>
                    <OBJECT>
                      <ID type="Internal">Owner</ID>
                    </OBJECT>
                  </PRINCIPAL>
                </ACCESS>
              </CONDITIONLIST>
            </RIGHT>
          ...
          ...
          </RIGHTSLIST>
        </RIGHTSGROUP>

Note that a client side template can be created similarly, using the DRMCreateUser API (by creating a user with wszUserId as “OWNER” and wszUserIdType as “Internal”) and then granting the user the OWNER right.

Using such a template for creating issuance licenses means that a different owner can be specified for every document author: one issuance license can be created from the template with user A set as hOwner in DRMCreateIssuanceLicense, and another issuance license can be created from the same template with user B set as owner. The user specified by hOwner is captured in the issuance license as the OWNER in the METADATA tag as follows:

<WORK>
  <OBJECT type="Sensitive Document">
    <ID type="MS-GUID">{0CC81A3A-7EA0-4A57-A90A-43C1C2AC868C}</ID>
    <NAME>Sensitive Document</NAME>
  </OBJECT>
  <METADATA>
    <OWNER>
      <OBJECT>
         <ID type="Windows" />
         <NAME>userA@company.com</NAME>
      </OBJECT>
    </OWNER>
  </METADATA></WORK>

When a use-license is requested from the RMS server for such an issuance license, the RMS server looks for the special OWNER user in the list of users and, if it exists, checks if an owner was specified in the METADATA of the issuance license. If the RAC corresponding to the end-user making the request for the use-license contains the same email address as the one listed in the METADATA of the issuance license, the end user is issued a use-license containing the OWNER right, with no expiration.

Note that for the hOwner user specified in DRMCreateIssuanceLicense to have any affect, a template containing the OWNER user must be specified, making this a little unintuitive. Instead, it might have been better if the hOwner specified always got OWNER rights. We’ll look into improving this in future releases of our product.

Pankaj Kamat, Senior Software Design Engineer

Meet the Team: Amit Fulay

What is your education and work background?
I have a Bachelor’s degree in Computer Engineering from University of Pune, India and a Master’s degree in Computer Science from Florida State University. I joined Microsoft in summer of 2001, straight out of school.

How did you come to be a part of the AD RMS team? How long have you worked with the team?
I have worked on the RMS team since its v1 days in 2003. I’ve worked on several releases of the product including SP1, SP2, Windows Vista and Windows Server 2003 &  2008. I moved to adCenter for 2 years before coming back to the team last October. The opportunity and the great people on this team were too big a draw to ignore.

What is your role?
I am a Lead Program Manager responsible for Services and Integration with various workloads.

If you worked on previous versions of AD RMS, what did you work on?
I have worked on almost every part of the product including RMS client, server, services and deployment.

What is your favorite aspect of the technology?
What I love the most about coming here every day is that I get to build a product that solves people’s real problems. Being on this team is like working in a startup within Microsoft and when we get things right in terms of software, we can impact millions of customers. I don’t know of many other places that offer such an opportunity.

What’s your favorite breakfast cereal?  ;)
Kellogg’s Vanilla-Almond, I can eat it every morning….

Any last words?
None, you will hear from me on this blog again.

Learn at Tech-Ed 2009

Microsoft Tech-Ed is coming to Los Angeles on May 11th-15th.

You'll go back to your office with knowledge and expertise that only five days at Tech Ed can offer. You can learn about today’s cutting edge trends, helping make life easier for you (and everyone else) at work. But the most important benefit just might be the networking: you can build personal connections with Microsoft experts and peers that will last far beyond Tech-Ed.

Among the 20 technical tracks is a Security, Identity, and Access track that will feature AD RMS and related technologies. Some of the sessions highlighting AD RMS are the following:

• Using Active Directory Rights Management Services and Microsoft Exchange to Protect Sensitive E-mail Communication (SIA324) - E-mail is one of the primary leak vectors for sensitive business information. Learn how Active Directory Rights Management Services and Exchange are helping to prevent confidential data from being inappropriately disclosed. (Amit Fulay, Fri 5/15 | 10:45 AM-12:00 PM | Petree Hall D)
• Federated Collaboration Using Microsoft Office, SharePoint, Active Directory Rights Management Services, and Microsoft "Geneva" (SIA306) - This lab walks you through how to set up a B2B environment using Microsoft code name "Geneva" and Office SharePoint Server 2007 to publish sensitive documents for external users, and using Active Directory Rights Management Services to prevent sensitive information. It is intended for IT professionals who are looking to implement an end-to-end, federation-based collaboration solution. (Vijay Gajjala and Tariq Sharif, Thu 5/14 | 1:00 PM-2:15 PM | Theatre (Room 411))
• Protect against Information Leaks with Microsoft Active Directory Rights Management Services and RSA Data Loss Prevention Solutions (SIA311) - Information is our customers' most valuable asset. It must be protected, yet also be shareable. Find out how Microsoft and RSA are partnering to combine the benefits of Enterprise Rights Management (ERM) and Data Loss Prevention (DLP) for the most effective approach to discovering, classifying, and protecting confidential business data from inappropriate disclosure while still enabling necessary business collaboration. (Mohan Atreya and Marcio Mello, Tue 5/12 | 2:45 PM-4:00 PM | Room 402)

See the list of sessions to see details about each session mentioned here, and other sessions.

We will also have some hands-on labs. Additionally, be sure to stop by and talk with the team at our product booth in the pavilion. It will be a great opportunity for you to see some of the new scenarios where AD RMS is helping organizations protect their information.

We hope to see you there.

Meet the Team at the RSA Conference

The RSA Conference is one of largest information security and identity conferences in existence. It’s happening next week, April 20th-24th, at the Moscone Center in San Francisco.
 
RSA® Conference 2009 offers enterprise and technical professionals one-stop learning. With targeted classroom sessions, innovative and interactive programs, provocative keynotes and a solutions-filled expo hall, RSA® Conference 2009 is the unbiased third party resource information security professionals rely upon.
 
The AD RMS team is sending a group of members to the conference, so be sure to look for them at the conference exposition, in the Microsoft booth, and ask them all of your information protection questions.
 
We hope to see you there.

Tuning Your AD RMS Server to Work Well with the Exchange 2007 SP1 Pre-Licensing Agent

If you are already using the AD RMS Pre-Licensing agent that shipped with Exchange 2007 SP1, you probably know how it can speed up the experience of end users opening RMS protected content in Outlook, but did you also know that you can optimize the performance of your AD RMS server in this scenario?

The secret to this optimization is a clever cache that was added in the Windows Server 2008 version of AD RMS. When turned on, this cache stores a pre-RAC for each user in the DRMS_Config database. From this point on, any application that calls the PreCertify() web method on the AD RMS server (e.g. the Exchange AD RMS Pre-Licensing Agent) will receive a much faster response.

By default this pre-RAC cache is turned off. To turn it on you will need to update a setting in the DRMS_ClusterPolicies table of your DRMS_Config database.

[Warning: Make sure you have a fresh backup of your DRMS_Config* database before making any changes to it.]

Run the following SQL query to check the state of the pre-RAC cache setting:

SELECT PolicyData FROM dbo.DRMS_ClusterPolicies WHERE PolicyName = 'GroupIdentityCertificateStorage'

Run the following SQL query to turn ON the pre-RAC cache:

UPDATE dbo.DRMS_ClusterPolicies SET PolicyData = 1 WHERE PolicyName = 'GroupIdentityCertificateStorage'

Run the following SQL query to turn OFF the pre-RAC cache:

UPDATE dbo.DRMS_ClusterPolicies SET PolicyData = 0 WHERE PolicyName = 'GroupIdentityCertificateStorage'

Is there a downside? Well, there’s no such thing as a free lunch. All of these cached pre-RACs will consume a bit more space in your DRMS_Config database, so be prepared for it to grow slightly. In our test lab, we observed the DRMS_Config database growing by about 40 extra MBs, per 5000 new users, when this cache is turned on.

Peter Gilson, Senior Test Lead

Opening AD-RMS Protected Files on Your Windows Mobile Phone

Thanks to Elizabeth at MS for the following post...

Perform these steps to setup Active Directory-Rights Management Services on your Windows Mobile phone:

1. Before you can set up AD-RMS on your phone, you need to make sure that you have Active Directory-Rights Management Services installed on your computer. If you’re running Windows Vista, AD-RMS is already installed. If you’re running Windows XP, you’ll need to install it through Add or Remove Programs in the Control Panel (if you don’t see Rights Management Services listed in Add or Remove Programs, you can download it directly from the Microsoft Download Center).  If you are able to open protected content (a protected document in Office Word, for instance), you have AD-RMS properly installed and configured. Once you have AD-RMS installed, ensure that your computer is connected to your corporate network and to the domain.
2. Connect your phone to your computer through a USB cable.
3. If you’re using ActiveSync:
1. In ActiveSync, on the Tools menu, click Advanced Tools > Activate Information Rights Management.
2. In the Information Rights Management Activation dialog box, click Yes, and ActiveSync will try to activate IRM automatically.
3. If ActiveSync isn’t able to access your credentials, you’ll be asked to re-enter the information, including your user name, password, and domain.  Click Retry.
4. After you’ve successfully activated Information Rights Management, click OK.
4. If you’re using Windows Mobile Device Center:
1. Click Mobile Device Settings > Activate Information Rights Management.
2. Enter your credentials (user name, password, domain), and click Activate.
3. After you’ve successfully activated Information Rights Management, click Done.

End of support for Windows Rights Management Services V1.0

March 23, 2009 will bring a close to support for Windows Rights Management Services V1.0 as part of the Microsoft Lifecycle Policy. Microsoft will retire public and technical support, including security updates, by this date.

As of this date users will no longer be able to activate or re-activate clients, and may be unable to produce or use Rights-Protected content unless they upgrade to a newer version of Windows Rights Management Services Client.  This includes  Windows Rights Management Services Client V1.0 SP2, or the Windows Rights Management Services Client available as part of Windows Vista or Windows Server 2008.  When users attempt to activate Windows Rights Management Services Client V1.0 using Microsoft Office they will receive the following error message “This service is temporarily unavailable.  Ensure that you have connectivity to the server.  This error could be caused because you are offline, your proxy settings are preventing your connection, or you are experiencing intermittent network issues.”  Users attempting to activate via other RMS enabled applications may receive different error messages.

Microsoft is retiring support for this product because it is outdated and can expose customers to security risks.

We recommend that customers who are still running Windows Rights Management Services Client V1.0 upgrade to a newer version as soon as possible.  Windows Rights Management Services Client V1.0 SP2 can be downloaded from the following links.
Windows Rights Management Services Client V1.0 SP2 client (x86)
Windows Rights Management Services Client V1.0 SP2 client (x64)

Windows Rights Management Client V2.0 is also available as part of the Windows Vista and Windows Server 2008 operating systems.  Information about Windows Vista is available at http://www.microsoft.com/windows/windows-vista/default.aspx.  Information about Windows Server 2008 is available at http://www.microsoft.com/windowsserver2008

We recommend that customers who are still running Windows Rights Management Services V1.0 servers upgrade to a newer version such as Windows Rights Management Services with Service Pack 2 as soon as possible.

Identity and Access Webcasts

We are running a series of webcasts on Identity and Access solutions from Microsoft beginning in November and going on through March 2007. These webcasts will include a lot of technical information on RMS as well. Some more details below:
 
Microsoft offers a broad range of technologies and products to enable a customer’s identity and access infrastructure. This web-cast and virtual lab series is designed to educate Technical Decision Makers (TDMs), and IT Professionals about Microsoft’s IDA solution areas centered around the following products:

• Windows Rights Management Services (RMS)
• Active Directory Federation Services (ADFS)
• Microsoft Identity Integration Server MIIS)
• Certificate Lifecycle Manger (CLM)
• Active Directory (AD)

These webcasts are structured under different categories. The categories take attendees from Product/Solutions Overview, what the product is and how it can help the customer’s infrastructure, to Deployment, and through the different categories to, “What is New for the Future”. 

To register for any of these webcasts, including our kickoff webcast: “Identity and Access Vision and Strategy”, visit this link: IDA Webcasts

We will be adding more webcasts to this list, so please be sure to visit this site again!

Hope you find this useful
 
Mayur