Active Directory Rights Management Services - AD RMS

Required Critical Update for AD RMS Customers

Today Microsoft is releasing an update to AD RMS to completely remove the "application manifest expiry" feature. This update is particularly important for AD RMS customers using Internet Explorer, because the certificate for the RMA add-in for Internet Explorer will expire on February 22nd.  The RMA add-in for Internet Explorer allows users to view content with restricted permission in Internet Explorer.   It is critical that these customers install the update before then, in order to avoid any issues accessing or protecting web-based content. 

For more details, you can read the recent blog post on the Microsoft Forefront team blog.

Tips for Troubleshooting AD RMS and AD FS Integration

Are you troubleshooting AD RMS and AD FS integration?  This post will help you get started but it is not a comprehensive look at the specific issues you may encounter. 

Which fields are case-sensitive when installing AD FS?

There are several case-sensitive fields when configuring AD FS to work with AD RMS.  Your organization's Federation Service URI value, located in the Trust Policy Properties box, must match the Federation Service URI value your partner configures in the Add Partner Wizard.  These two fields are shown in the following image:

   

The client computers in the external (FS-A) domain contain the following registry entry: HKEY_Local_Machine/Software/Microsoft/MSDRM/Federation/FederationHomeRealm whose value is the Federation Service URI of the FS-A.  This value also must match the URI value of the FS-A exactly.

Custom claim names are also case sensitive.  In AD FS and AD RMS integration, custom claims can be created for the ProxyAddresses attribute and you should ensure that the cases match when creating the custom claim, extracting the claim after creating the Active Directory account store, and matching the ProxyAddresses claims when configuring your AD FS partner.

Finally the application URLs for the AD RMS certification and licensing pipelines, which are configured in the Add Application Wizard, are case sensitive. 

What network port does AD FS use?

By default AD FS uses port 443 for all communications between the federation servers, federation proxy servers, and clients.

What is the flow of communication in AD FS and AD RMS?

This diagram shows the flow of communication for a user in an AD FS account forest to successfully consume protected content for the first time:

Additional Resources:

The AD FS team has developed the AD FS Diagnostic Tool to help troubleshoot AD FS.  The AD FS Diagnostic Tool can help you diagnose common configuration issues that occur when setting up an AD FS deployment, including certificate issues.  For more information or to download the tool visit the AD FS team blog: http://blogs.technet.com/adfs/archive/2007/11/01/adfs-diagnostic-tool.aspx.

Integrating AD RMS and SharePoint

AD RMS can be used to protect Microsoft Office SharePoint Server 2007 document libraries.  If you would like to integrate your SharePoint server with AD RMS here are a few links to get you started:

• The AD RMS Deployment with Microsoft Office SharePoint Server 2007 Step-by-Step Guide guides you through the process of deploying AD RMS and Office SharePoint Server in a test environment.
• The topic Secure Collaboration Using Federated AD RMS with Microsoft Office SharePoint Server 2007 contains several articles about using AD RMS with Office SharePoint Server, including how to integrate AD RMS and Office SharePoint Server 2007 and how to provide external partners with secure access to protected libraries by using AD FS.
• The Secure Collaboration using AD RMS, MOSS and AD FS podcast will teach you how to integrate AD RMS and Office SharePoint Server and also how to use AD FS to provide single sign-on (SSO) access to protected document libraries.
• Learn how to enable AD RMS and Office SharePoint Server integration in the AD RMS Integration with MOSS, Exchange and Windows Mobile TechNet Virtual Lab. In this lab you will integrate AD RMS with Office SharePoint Server, create a protected library, and verify AD RMS functionality in a virtual lab environment.

Creating AD RMS Templates

A few customers have recently asked us about how to create AD RMS rights policy templates.  Here are a few links that should help you create and deploy AD RMS rights policy templates in your organization:

• The AD RMS Rights Policy Templates Deployment Step-by-Step Guide walks you through the process of creating and deploying AD RMS rights policy templates in a test environment. In this guide, you create a rights policy template that gives read-only access to members of an Active Directory Domain Services group, using the rights policy template creation wizard.
• The topic Configuring Rights Policy Templates contains several articles about rights policy templates including procedures to create, edit, and archive templates.
• The article AD RMS Rights Policy Template Considerations provides detailed information about rights policy template creation and deployment. It includes a list of the rights available when you create a rights policy template and a brief description of how those rights are interpreted by the AD RMS client.
• Once you have created a rights policy template, you must distribute it to your end users. The AD RMS team blog post Templates, Distribution, and Why You Should Care provides a good overview on template distribution and answers some of the frequently asked questions concerning rights policy template deployment.

Available AD RMS Webcasts

The AD RMS team has put together several webcasts as part of a series called Microsoft Forefront: Integrate and simplify with greater protection and control, which explains Microsoft's identity and security products.  These webcasts provide a great opportunity to learn how AD RMS integrates with other Microsoft solutions. 

• Windows Server 2008 R2 AD RMS and FCI Better Together: Learn how AD RMS integrates with the Windows Server 2008 R2 File Classification Infrastructure (FCI) and how to use the new AD RMS Bulk Protection Tool.
• Windows Server 2008 R2 AD RMS and Exchange Server 2010 Better Together: Learn how AD RMS works with Microsoft Exchange Server 2010 for information protection and compliance.
• Secure Collaboration Using AD RMS, MOSS and AD FS: Discover how to provide extranet access to Information Rights Management (IRM) protected documents stored on Microsoft Office SharePoint Server 2007 using Active Directory Federation Services (AD FS).

To view the complete list of topics in the Microsoft Forefront webcast series visit the Microsoft Forefront On-Demand Webcasts page.

AD RMS Architecture Video Series: Client Deployment Best Practices

When you deploy Active Directory Rights Management Services there are a few client settings to configure before your users can create and consume protected content.  In addition, AD RMS offers some customizable options that you can use to tailor your AD RMS clients to fit the needs of your organization.  In the Client Deployment Best Practices video Enrique Saggese, a Senior Microsoft Consultant, describes several of these settings and shares a few tips for deploying AD RMS to your clients.

This is the sixth clip in our AD RMS architecture video series about how to design and deploy AD RMS. All of the videos are available on TechNet Edge as a series of short videos.  Here is a list of the videos that have been published so far:

• How it works: Active Directory Rights Management Services
• AD RMS Certificates and Licensing on the Client and the Server
• AD RMS Certificate Hierarchy and the Protection Process
• Deployment Tips for the AD RMS Infrastructure
• AD RMS and Multiple Forest Integration
• AD RMS Client Deployment Best Practices

New Step-by-step Guides: AD RMS in a Resource Forest and AD RMS Bulk Protection Tool

The AD RMS team has recently published two new step by step guides:

• Active Directory Rights Management Services in a Resource Forest - End-to-end Solution - This guide explains how to set up and automate AD RMS in a resource forest environment. In this scenario, clients in an account forest use Microsoft Exchange and AD RMS, which are located in the resource forest, to create and consume protected e-mails.
• Active Directory Rights Management Services Bulk Protection Tool and File Classification Infrastructure Step-by-Step - This guide explains how to configure the AD RMS Bulk Protection Tool and File Classification Infrastructure in a test environment. In this guide, the AD RMS Bulk Protection Tool works in conjunction with FCI to apply AD RMS rights policies to multiple AD RMS protected files based on classifications that are determined by FCI.

AD RMS Architecture Video Series: How AD RMS Works

A successful deployment of Active Directory Rights Management Services depends on a careful consideration of how AD RMS works and how it interacts with other objects in your network environment. Enrique Saggese, a Senior Microsoft Consultant, recently gave a presentation about AD RMS design and deployment, which we are making available on TechNet Edge as a series of short videos.

In the first video in this series, Enrique describes the process and components that AD RMS uses to protect and consume IRM-enabled content.

Micah LaNasa, Technical Writer

Microsoft Office 2003 Cannot Open Documents Protected with RMS

The issue of the inability to open documents protected with AD RMS with Microsoft Office 2003 has now been resolved with a hotfix. You can obtain the hotfix at the following locations:

Office Client – KB978551

Word Viewer – KB978558

Excel Viewer – KB978557

Protecting a Microsoft Office Word Document with AD RMS

Perhaps you are new to Active Directory – Rights Management Services and you have yet to see a demonstration of the technology. We recently posted a short screencast video on the Windows Server 2008 “How Do I?” Videos site that demonstrates a simple scenario where a user shares a protected Word document with another user in her organization. The purpose of the video is to give you an introduction to AD RMS by enabling you to see how it works in practice.

If you would like to go further in your understanding of AD RMS, you can view the following TechNet webcasts, geared toward an IT professional audience, that go into more detail about the product:

• Rights Management Services in Windows Server 2008
• Microsoft Active Directory Rights Management Services Overview
• Microsoft Active Directory Rights Management Services: Installation Best Practices

 

Activate Information Rights Management in SharePoint

Recently we had a case where a customer was having some difficulty activating an IRM-protected document library in SharePoint on a server running Windows Server 2008. He got the following error:

Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.
Unspecified connection error. Try activating again later.

Error value: 8004cf3b

A common cause of this error is that the SharePoint server cannot contact the AD RMS server, due to a 502 Proxy Gateway error.

To resolve this issue: You can set WinHTTP proxy settings on Windows Server 2008 or Windows Server 2008 R2 using the Netsh command-line tool. You can add the AD RMS Server URL to the proxy bypass list on the computer that is running SharePoint to enable it to bootstrap correctly. The following is an example where https://myRmsServer is added to the proxy bypass list:

netsh winhttp set proxy proxy-server="myProxyServer.mydomain.corp.contoso.com:80" bypass-list= https://myRmsServer

 

Custom IRM Protectors

We occasionally get questions from customers about creating custom IRM protectors. Protectors are components that are used to apply AD RMS protection to files when they are added to document libraries like those in Windows SharePoint Services 3.0. Specifically, protectors “convert custom files types to rights-management formats when the user downloads them, and then convert those files back to nonencrypted file formats when the user uploads them for storage in the document library.”

The AD RMS team recently released an IRM protector implementation that protects files in Microsoft Office formats, such as .docx, .xlsx, and so on. Included with these is some documentation that can help you implement these protectors provided by the AD RMS team or with your own custom protector implementation.

Documentation_OfficeFileFormatProtectors – This document contains reference documentation for the protector interface and other required interfaces.

Developer’s Walkthrough Microsoft Office 2007 File Format Protectors for AD RMS – This document discusses setting up a pre-production development environment and implementing the I_IrmCyrpt interface, which is used to enable document encryption and decryption, and I_IrmPolicyInfoRMS, which holds licenses and other information used by a protector.
 

The AD RMS Bulk Protection Tool Has Arrived

We heard from the AD RMS community and we acted! Today, we are extremely proud to announce the availability of the AD RMS Bulk Protection Tool on Microsoft Download Center.

The AD RMS Bulk Protection Tool is a command-line tool that can decrypt multiple AD RMS protected files or encrypt multiple files to a predefined rights-policy template. This tool can be used to perform e-discovery of content for litigation or audit purposes, or to safeguard existing sensitive data on company shares. It also works in conjunction with the File Classification Infrastructure (FCI) feature in Windows Server 2008 R2 to classify and protect sensitive company data.

Here are some additional details:

Features

• Simple command-line interface
• Bulk decrypt RMS supported files and items within Outlook PSTs
• Bulk encrypt RMS supported files to a custom template
• Extensible to other file formats via IRM protector implementation

System Requirements

• Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2
• The tool requires installation of RMS Client SP2 and .NET Framework 2.0 SP2 on Windows XP
• Outlook 2007 is needed for decrypting items within PST files

You can refer to the AD RMS Bulk Protection Tool help file that is included with the tool for more usage details.

...and finally, we hope you enjoy the tool!

Yours truly,
Clinton Ho, Saket Kataruka, and Adeel Zaidi
The AD RMS Bulk Protection Tool Team

AD RMS and PowerShell

PowerShell has been included in Windows Server 2008 R2. If you haven’t heard of it, it’s “a command-line shell and scripting language that helps IT professionals achieve greater productivity and control system administration more easily.” You can learn more about it at the PowerShell Website or at the PowerShell team’s blog.

The AD RMS team recently release a guide called Using Windows PowerShell with AD RMS:

This guide explains how to use the Windows PowerShell cmdlets that enable you to install, configure, and administer the AD RMS server role on a computer running Windows Server 2008 R2. It introduces the Windows PowerShell providers that implement AD RMS-specific cmdlets, describes the namespace that these cmdlets work in, and also shows how to use general-purpose cmdlets, such as Set-Itemproperty, to manipulate items in these namespaces that represent AD RMS settings.

If you need more information, you can also visit the reference documentation for the AD RMS cmdlets.
 

AD RMS and Group Expansion

We get occasional questions from customers about AD RMS and group expansion across forests. The following are a few links that can help answer your questions concerning group expansion:

• The topic Deploying RMS Across Forests contains a thorough explanation of how AD RMS works in a multiple-forest environment: “RMS uses Active Directory to identify users and distribution groups. When an organization’s Active Directory deployment includes multiple forests, RMS uses contact objects to obtain the identities of users and groups that are part of a different forest than the RMS server.”
• The topic Release Notes for Windows Rights Management Services with Service Pack 2 contains a brief description of the group expansion functionality available in Windows RMS SP2: “…group expansion across forests facilitates the ability for RMS to expand Active Directory Universal group membership in a different forest where group memberships are not replicated between two forests…”
• Jason Tyler, a senior support engineer, has a post on his blog called Troubleshooting your RMS Server and Group Membership: “The only time that I usually will get on an RMS server to track things down (once it is setup and provisioned), is when I get a call from someone who says 'I am sending this RMS/IRM protected message to a group, and people in the group cannot open the message'.”