Active Directory Rights Management Services - AD RMS : Troubleshooting

Microsoft Office 2003 Cannot Open Documents Protected with RMS

tonytri — Sun, 13 Dec 2009 08:26:00 GMT

The issue of the inability to open documents protected with AD RMS with Microsoft Office 2003 has now been resolved with a hotfix. You can obtain the hotfix at the following locations:

Office Client – KB978551

Word Viewer – KB978558

Excel Viewer – KB978557

Activate Information Rights Management in SharePoint

tonytri — Mon, 23 Nov 2009 22:14:00 GMT

Recently we had a case where a customer was having some difficulty activating an IRM-protected document library in SharePoint on a server running Windows Server 2008. He got the following error:

Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.
Unspecified connection error. Try activating again later.

Error value: 8004cf3b

A common cause of this error is that the SharePoint server cannot contact the AD RMS server, due to a 502 Proxy Gateway error.

To resolve this issue: You can set WinHTTP proxy settings on Windows Server 2008 or Windows Server 2008 R2 using the Netsh command-line tool. You can add the AD RMS Server URL to the proxy bypass list on the computer that is running SharePoint to enable it to bootstrap correctly. The following is an example where https://myRmsServer is added to the proxy bypass list:

netsh winhttp set proxy proxy-server="myProxyServer.mydomain.corp.contoso.com:80" bypass-list= https://myRmsServer

AD RMS and Group Expansion

tonytri — Wed, 16 Sep 2009 21:57:00 GMT

We get occasional questions from customers about AD RMS and group expansion across forests. The following are a few links that can help answer your questions concerning group expansion:

The topic Deploying RMS Across Forests contains a thorough explanation of how AD RMS works in a multiple-forest environment: “RMS uses Active Directory to identify users and distribution groups. When an organization’s Active Directory deployment includes multiple forests, RMS uses contact objects to obtain the identities of users and groups that are part of a different forest than the RMS server.”
The topic Release Notes for Windows Rights Management Services with Service Pack 2 contains a brief description of the group expansion functionality available in Windows RMS SP2: “…group expansion across forests facilitates the ability for RMS to expand Active Directory Universal group membership in a different forest where group memberships are not replicated between two forests…”
Jason Tyler, a senior support engineer, has a post on his blog called Troubleshooting your RMS Server and Group Membership: “The only time that I usually will get on an RMS server to track things down (once it is setup and provisioned), is when I get a call from someone who says 'I am sending this RMS/IRM protected message to a group, and people in the group cannot open the message'.”

Cached mode in Outlook 2003 and RMS

rightsmanagement — Tue, 25 Apr 2006 21:41:00 GMT

Imagine this scenario. You are about to catch a plane. You connect to Internet using a Wi-Fi spot on the airport and sync your Outlook. It’s a long flight and you want to catch up on email during the flight. You jump on the place and when the nice airhostess announces that you can use your portable electronic devices, you pull out your laptop and start reading your email. Now imagine you have a RMS-protected email in your Inbox. Since RMS requires the client to present credentials to the RMS server to get a use license before you can consume the content, you are not able to read that important email.

Here is the solution. If you use Outlook 2003 in cached mode, you can set the Outlook client to automatically license all RMS-protected emails during sync. This way you can ensure that all protected emails in your Inbox have corresponding use licenses downloaded and hence can be viewed. Now you can have a good flight!

P.S. Outlook in cached mode should do the above automatically. If it is not doing so, the Registry entry that controls this behavior is:

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Office\11.0\Outlook
Type: REG_DWORD
Entry: UserData
Value: 0x00000001

If this is not set, or the entry doesn’t exist, create it and logoff and log back on.