RMS: Protecting Your Assets.

IRMCheck tells you to delete secproc.dll. Don't do it!!!!

Hello everyone,

An issue has been creeping up lately with users running IRMcheck on Vista clients. You may see the following error in your IRMCheck.

This machine is activated incorrectly: unknown, file:///rmactivate.exe, 22/05/2008 8:39:00 PM [UTC]
Action:Please delete C:\Windows\system32\secproc.dll and restart Microsoft Office applications

Don't do it!! It is a bogus error, and if you do it, you will end up messing up your Vista machine, and everyone will poke and laugh at you.

IRMCheck has not been updated for RMS V2 on Vista, and will throw unreliable errors occasionally. It's still good for some checks on Vista...just ignore that one. The RMS product group is working on updating the tool to accomodate RMS V2 on Vista, and will post more info when it becomes available.

Thanks.

 Jason

Error solution: "The permission policy you have selected is no longer in use. Contact your administrator to obtain new or updated permission policies."

I recently had a customer getting the following error whenever he tried to use an RMS template in Office, and either send the content or save it:

"The permission policy you have selected is no longer in use. Contact your administrator to obtain new or updated permission policies."

This isn't a wonderfully descriptive error.

The reason this was happening to my customer was because he had put up a brand new RMS infrastructure, but had previously had RMS in his environment, and had bootstrapped this machine against it.

This caused him to have two publishing licenses in his DRM folder. One was expired, and was from the old installation, and one was from the new installation. The RMS client code can't tell the difference.

So we look at the date on the template, look at the date on the publishing cert, hit a mismatch against the system time, and wallah...you are pulling your hair out.

To fix the issue, just rename the DRM folder or delete the offending CLC, and restart whatever application you were using.

The problem can also happen if your system time is incorrect on the RMS server, or on the client so check that too.

Hope this helps.

 -Jason

Moving your RMS V2 (WS 2008) Database to another server

Lot's of people have used my previous posting detailing the steps necessary to move your database server to another server, post-mortem. First allow me to say ' Picklemonkey and Duckbutt '. There....now all the people that were searching for that post using those terms will also find this post. :)

Here is the original post:
http://blogs.technet.com/rmssupp/archive/2006/12/05/tip-o-the-day-12-05-2006-moving-your-sql-dbase-to-another-server.aspx

Here are the steps for RMS on WS2008.

Pre-'doing this' stuff:

1. Stop the RMS logging service and IIS on all your RMS servers, and ensure there are no connections to the DRMS_ databases. 
2. Hold a picture of Al Gore close to you, and repeat "I am one with the universe", 10 times.

To move to a new SQL server:

1) It is recommended that you back up the 3 DRMS SQL databases, but at a minimum, export your Enterprise Trusted Publishing Domain.  This can be used as a minimal disaster recovery backup.  If needed, you can import this file into any RMS installation to recover documents if necessary. 

2) Run RMSConfigEditor.exe from the RMS toolkit.

3) Type the name of the SQL server in the Server text box and click "Go".

4) Pick the DRMS_Config database from the Database drop down list and click "Go".

5) Open the DRMS_ClusterPolicies and find the following PolicyName entries.  In the corresponding PolicyData entry, you will find the name of the SQL server being referred to.  Adjust the PolicyData entry to the new SQL server name and click the "Persist" button on each.

LoggingDatabaseServer
CertificationUserKeyStorageConnectionString
DirectoryServicesCacheDatabase

6) Go to Start>Run Regedit and modify the following keys to reflect the new cname (needs to be done on every server in the cluster):

HKLM\System\ControlSet001\Services\AdRMSLoggingService\Params,
Value name: ConnectionString
Value name: LoggingDatabaseServer

HKLM\Software\Microsoft\DRMS\2.0\ConnectionString
Value name: ConfigDatabaseConnectionString

That should be it. Restart all of your services, and make sure everything is working.

You just survived a worse experience than Hillary Clinton's Bosnia gunfire experience, and can now run for president. Give yourself a pat on the back, and go hug your local Dunkin' Donuts coffee guy.

-Jason 

Disabling or Changing AD cache settings with RMS on Windows Server 2008

Some of my more 'bleeding edge' readers that are playing around with 2008 may be wondering why the old AD cache setting keys that we used in RMS 1.0 no longer work with RMS 2.0. Well the reason is simple. We don't use the registry keys anymore. :)

To disable Active Directory caching (or modify the default values) here is what you do:

 1.You need to access dbo.DRMS_clusterpolicies database and set following policy value to 0 (or whatever value you want):
UseDirectoryServicesCacheDatabase
EnableNoRightsCaching
This will disable all database cache.

2.You can reset IIS to cleanup memory cache, or you can set following policy value to 0 in dbo.DRMS_clusterpolicies database:
DirectoryServicesMemoryPrincipalCacheMaxSize
DirectoryServicesMemoryGroupIdCacheMaxSize
DirectoryServicesMemoryGroupMembershipCacheMaxSize
DirectoryServicesMemoryContactGroupMembershipCacheMaxSize
DirectoryServicesMemoryPrincipalCacheExpirationMinutes
DirectoryServicesMemoryGroupCacheExpirationMinutes

…and before you ask EnableNoRightsCaching is new to ADRMS. It caches ‘No Rights’ failures, so that we can quickly tell a user who keeps trying to open content they don't have access to ‘You’ve already been told you don’t have access, punk!', without making a round trip to the DC again.

Thanks to Sarah, my compadre from CSS-Security for continually pushing me for these answers, and always keeping me entertained with new ways to put up RMS in strange scenarios.

 -Jason

RMS Provisioning hangs when using nCipher NetHSM

So here is a new one that I ran into yesterday. I had a customer that called in and was having problems provisioning his RMS V1 server in his production environment. He was using nCipher HSMs to store the keys. This worked great in his development environment, but for some reason during the 'Provisioning Logging..." step of the process, we would just hang.

We would see this if we ran a debug view, and it would freeze:

00000997 149.84358215 [3940] 2008-03-19T09:57:21:0990 - PrivateKeyStore(data source=sqlserver;integrated security=SSPI;persist security info=False;packet size=4096;database=DRMS_Config_rms_domain_com_80;Pooling=false;)
00000998 149.86886597 [3940] 2008-03-19T09:57:22:0021 - DrmsSqlStorage connection String:  data source=sqlserver;integrated security=SSPI;persist security info=False;packet size=4096;database=DRMS_Config_rms_domain_com_80;Pooling=False
00000999 149.88598633 [3940] 2008-03-19T09:57:22:0037 - Stored procedure spa_GetPolicy finished with return code 0

The answer:

Some background. When the customer setup his security realm in production he specified FIPS compatibility, which he did not do in the dev environment. What this means is that an 'Operator Card' has to be inserted into the module in order to store the keys. Typically you would get prompted to 'Insert an Operator Card', but because RMS has no UI that can display this (we may be supressing the dialog), we will happily sit there until you figured it out...or until IIS decides to kill the process.

The same issue exists in WS08 for RMS, so be aware that if you have FIPS level compatibility turned on, you either need to use ModAuth or go insert your operator card into the HSM to provision RMS.

-Jason

Getting your WM6 device to successfully IRM activate.

I'm not going to lie. Trying to get a Windows Mobile 6 device to activate against an RMS installation is never a highlight of my day. There are strange *quirks* with these devices that need to be accounted for. I'm going to use this post as a dumping ground for different things I've found in regards to this.

- The very first thing you need to do is go to C:\Intetpub\WWWRoot\_wmcs\Certification\MobileDeviceCertification.asmx, and go to the Security tab of its file properties. Click on the 'Advanced' button, and check the box for 'Allow inheritable permissions from parent to propogate to this object...'

This will give you the correct access settings for the file, which by default, we remove.

- If your users are on laptops (i.e. will be at some point be leaving the 'Intranet' and moving to the 'Internet') you need to set the registry overrides for the location of the Licensing and Certification URLs in the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\Activation]
@="https://rms.yourdomain.com/_wmcs/certification"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\EnterprisePublising]
@="https://rms.yourdomain.com/_wmcs/licensing"

 - If you have an ISA publishing rule that is set to only allow authenticated users to the RMS server, change it to 'All Users', and let the RMS server handle the authentication.

Honestly, I don't know why this is, but just yesterday I had a customer call and regardless of anything we tried we could not get the device to activate if ISA was handling the authentication request. The user could even get to the page from the browser. When we let the auth go straight through, and be handled by IIS on the RMS server, everything worked like a charm. UPDATE: Apparently you *can* use 'Basic Authentication' on ISA, just make sure that you forward all requests via HTTPS, otherwise you'll be sending your 'shiznit' in the clear. I'd just let the RMS server handle it though.

- If you are using a dot stuffed intranet cluster URL (i.e. rms.domain.com) you can set an exception rule on the device by going to Start>Settings>Connections>Connection>Advanced and clicking on the 'Exceptions' button. You can then add *.domain.com or rms.domain.com to the exceptions list to allow users to authenticate to the site. I believe if the name has dots in it, the device thinks it is an internet site, and will not pass creds...but I've had varying mileage out of this setting.

I'll post more later, but hopefully this will get you going.

-Jason

Using IRM to protect 'ranges' in a Word document. Uhhh...Yes, we can!

One thing I know alot about is the inner working of RMS. I know how to deploy it, make it work in strange situations, it's quirks, what causes it to be cranky etc. It's a marriage. Something that I don't spend a 'huge' amount of time on is tracking down some of the finer grain details within the Office products. There are still things that I don't know about IRM integration within those products, mainly because I use them for basic needs, and frankly no-one ever asks me. I'm not someone who worries about protecting individual cells in Excel, or ranges in Word, and unless a customer asks me if it's possible, I've got enough work to keep me busy. Way back during the Office 4.3 days, when I use to actually support Excel and Word I knew alot about them, but now days I'm lucky if I can figure out where Help>About is in the new ribbon design.

This was an interesting note about IRM protection on Word documents that I recently saw on an internal thread here, so I thought I would share it for all you people that wanted to know about range protection in Word. I've recently heard that our competitors say this was something we could not do, when trying to sell their solution over RMS, but apparently they just didn't know where to look.

Here was the quote.

“Word’s Range Permissions feature does integrate with IRM.  If you use IRM to restrict access to your document with certain users given 'change' permission, you can give those users explicit editing permissions to particular ranges in the document.  To do this:

1)      Bring up the Document Protection task pane (Tools | Protect Document in Office 2003; Developer | Protect Document | Restrict Formatting and Editing in Office 2007).

2)      Check “Allow only this type of editing in the document”

3)      Select “No changes (Read only) in the drop down.

Users given Change access will appear in the Individuals listbox.  Select any ranges you want to give a user access to and check the box by their name to explicitly allow them access to that range.  Then when you start enforcing protection, the document will be locked to everyone except for those designated ranges.”

So now if you ever happen to be in the middle of an IPP sales pitch where the vendor claims Microsoft doesn't offer this solution with IRM, but *they* do, you can show them how to do it, so they can 'correct' their info.

Man...I'm such a trouble maker. <g>

Thanks to Jamie Campbell and Chris Vincent some of our Office product group members for posting this info.

 -Jason

Check the UDDI service status yourself

Ever run into problems that you 'think' may be related to not being able to access the UDDI service? I wrote a script that should help you (and me) determine if the UDDI service is up or down.

Here is the source. Again, use at your own risk, make sure that if you are copying and pasting that you check the longer strings to make sure they haven't newlined on you...and of course, add some error checking. It continues to amaze me how poor my formatting, commenting, and coding skills are. I only write this stuff for me usually, so I don't care if it's not formatted correctly, or if there are 'better' ways to do it. My goal is to write as little code as possible to get what I need. ;)

'********************************************************
' RMS UDDI Checker - Jason Tyler
' Date: uhhh...night time
'******************************************************** 

strURL = "https://uddi.microsoft.com/inquire"

retval =  GetUDDIInfo(strURL,vbnullstring)
Wscript.Echo GetUDDIInfo(strURL,retval)

Function GetUDDIInfo(strURL,strKey)
 Set XMLHTTP = CreateObject("MSXML2.XMLHTTP")

 If strKey = vbnullstring Then
  strSType = "ServiceInfo"
  strEnrollment = "uuid:d3bf98c5-dea7-4503-80f1-99758c4486f4"
  strBody = "<find_service generic='2.0' xmlns='urn:uddi-org:api_v2' businessKey=''><tModelBag><tModelKey>" & strEnrollment & "</tModelKey></tModelBag></find_service>"
 Else
  strSType = "ServiceDetail"
  strEnrollment = strKey
  strBody = "<get_serviceDetail generic='2.0' xmlns='urn:uddi-org:api_v2'><serviceKey>" & strEnrollment & "</serviceKey></get_serviceDetail>"
 End If
 
 
 
 strEnvelope = "<soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'><soap:Body>" & strBody & "</soap:Body></soap:Envelope>"
 strRequest = "<?xml version='1.0' encoding='utf-8'?>" & strEnvelope

 With XMLHTTP
  .Open "POST", strURL, False
  .setRequestHeader "content-type", "text/xml; charset=utf-8"
  .setRequestHeader "SOAPAction", """"""
  .send strRequest
  'Wscript.Echo .responseXML.xml   'Uncomment this line to see the actual XML
  If .Status = 200 Then
   Set oDOM = .responseXML.documentElement
   Select Case strSType
   Case "ServiceInfo"
    Wscript.Echo "UDDI Service is up. Querying for enrollment URL..."
    Set sKeys = oDOM.getElementsbyTagName("serviceInfos")
   Case "ServiceDetail"
    Wscript.Echo "Enrollment URL is:"
    Set sKeys = oDOM.getElementsbyTagName("accessPoint")
   End Select
    For each obj in sKeys
     Select Case strSType
     Case "ServiceInfo"
     strReturn = obj.firstChild.nextSibling.nextSibling.attributes(0).value
     Case "ServiceDetail"
     strReturn = obj.FirstChild.NodeValue
     End Select
    Next
  Else
   Wscript.Echo "Cannot Connect to UDDI service. Error Code is: " & .Status
  End If
 
  Set XMLHTTP = Nothing
  GetUDDIInfo = strReturn

End With
 
End Function

 -Jason

Can't open files protected using the Passport service? Thanks again, UDDI.

Some of you may have noticed that when trying to open content protected against the Passport service, or when trying to sign up for the Passport RMS service you are getting 'Service unavailable' errors. You may also notice a certificate warning, showing something along the lines of redirect.www.ibm.com as the root of trust.

If you are seeing this, then you are witnessing yet another kick to the face, care of the UDDI service.

To resolve the issue set the following registry entries on your clients:

If you are running Outlook 2007 change the 11.0 t a 12.0:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Common\DRM\
Reg_SZ:CloudCertificationServer
Value: https://certification.drm.microsoft.com/certification

If you are running Outlook 2007 change the 11.0 t a 12.0:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Common\DRM\
Reg_SZ:ActivationServer
Value: https://activation.drm.microsoft.com/activation

Close all your Office apps and try again.

 We are working to stabilize these dependency services, but IMHO bypassing them is the best answer. It's not like the URLs are going to change, and with WS08 we removed the dependency, so eventually this whole dependency will be a legacy issue.

-Jason

Avoiding provisioning insanity and skip the !@#$!* UDDI Service

For anyone provisioning RMS you know how insane you can get when things just don't seem to work. (Granted, things work as advertised 95% of the time). One thing that drives me and I'm sure alot of you crazy, is an error message that you may receive after trying to provision your server, or get a new certificate.

The dreaded:

Failed to enroll server!!

With an inner exception resembling:

The underlying connection was closed: Could not establish trust relationship with remote server.

You angrilly slap your new intern across the face in disgust, teaching them a valuable lesson in server room etiquette. "Never stand within arms length of an angry admin, when the fit is hitting the shan!"

Well before the situation escalates and you go and stomp a mudhole in your server, I'll explain whats going on, and how to avoid this noid!

A long time ago, in a galaxy far, far away Microsoft went into a joint venture with two other companies to provide a publicly available 'Active Directory' for webservices. Well, this service was scheduled to end in January of 2006. Microsoft was going to leave a read-only copy of the directory structure online for dependent services like RMS to use. What this AD provides, is along the same lines of what the SCP for RMS provides to your users. An 'automated' way to discover the location of public services (i.e. the enrollment service). This would be cool if....well I really can't think of a reason it is cool, but if the service isn't working, or the certificates have expired, or someone in the server room say's the word 'Monkey' three times fast...*you* my friend, aren't provisioning your RMS server.

So what can you do? I'll tell you, and I think everyone should do this, to skip the middleman. (Note: This service, and the enrollment service are no longer required as of Windows Server 2008. We let you self sign your certs locally to avoid things like this. How friggin' awesome is that?).

Go into your registry and set the following value:

HKLM/Software/Microsoft/DRMS/1.0/
Reg_SZ:EnrollmentURL
Value: https://activation.drm.microsoft.com/enrollment/enrollservice.asmx

Go to a command prompt, and do an IISReset, and wallah. You have skipped the middleman, saved your sanity, and reduced global warming, making Al Gore a very happy man.

Now go coax your intern out of the fetal position in the corner of the server room, give them an innapropriately long hug, and whisper something random in their ear, like 'Have you ever noticed that little dogs feet smell like corn chips?', then walk away.

You have survived another day in the server room.

Hope this helps.

-Jason

 Note: For more info go here:

http://uddi.microsoft.com/about/FAQshutdown.htm

UPDATE: If you are having trouble getting a Passport trust setup, use this registry entry

HKLM/Software/Microsoft/DRMS/1.0
SZ_Value:CloudGicURL
Value:https://certification.drm.microsoft.com/certification/certification.asmx

Using a SQL Cname on WS08, when provisioning RMS

I thought (and a few other people as well) this particular subject warranted a blog post, instead of just a comment I made a while back to a poster.

As a matter of best business practices, I have preached over and over again the importance of using cname records for your RMS cluster url and your SQL server name when provisioning RMS, for disaster recovery purposes. In fact this weekend I beat a guy up that didn't believe me...errr..no wait..that was Chuck Liddell who did that on UFC 79. Me and Chuck kept telling Wanderlei, 'Dude..you need to use a cname record', but he said you didn't, so Chuck helped show him why, by giving a demonstration of why disaster recovery is so important. :)

Anyways, with WS08 someone threw a monkey wrench into the works that requires a little 'redneck engineering' to overcome for the time being.

If you try to use a cname record for your SQL server instance (assuming everything is on WS08..UPDATE: Actually you need to do this if it is SQL on WS03 as well), you will find that your SQL server will promptly ignore your request to call it by anything other than its proper given name. To force your SQL server to play nice with the peasants, and accept whatever name *you*, oh master, decide to call it by, you need to set the following registry key on the SQL server (which may also be your RMS server) before provisioning:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
DWORD: DisableStrictNameChecking
Value: 1 (Peasant/Play Nice) 0 ('Big Jerk' Mode)

Hope this add more life to the hair you may still have!

-Jason 

Troubleshooting group expansion problems with RMS

I've had many customers call and ask me why when they send a mail to a 'group' some of those users cannot open the message, while some of them can.

I wrote a script that I have them run that will give me some important information.

-I usually want to make sure that the group is  'Universal'. The groups must be universal when you have members from different domains, because universal group types are the only group type whos membership is replicated to the GC, and since RMS uses GC queries...you get the point. 

-I want to make sure that the group has an email address, since that is what RMS uses to find the group

-I want to make sure that 1, and only one group is assigned to this e-mail address.

-I want to make sure that 'all' of the GCs have the same membership. They should if the group is universal, but if there is replication issues, it may not.

Here is that script. Once again, use at your own risk, and for the love of God...add some error trapping and comments (my own laziness astounds me, but since these are my private batch of tools, I know how they work. I never planned on blogging them. :))

The syntax is script <Forest> <group email> <Search All GCs?>
>cscript FindGroup.vbs contoso nerds@contoso.com 0   ß Just finds the group and quits
>cscript FindGroup.vbs contoso nerds@contoso.com 1   ß Finds the group in every GC and quits

I usually just run it with the '0' option up front to check the easy stuff, like group type and membership. I'll only run it with the '1' option if everything with a 0 looks good, or if the customer needs proof that a non-universal group membership type does not replicate all of its members across GCs. 

(Can you tell I use to be on the ADSI team here?) ;)

-Jason

'**********************************************************
' FindGroup.vbs - "Can I get a witness!!!"
'********************************************************** 

Set Args = Wscript.Arguments

strForestName = Args(0)
strGroup=Args(1)
FindAll = Args(2)

'***Get all the GCs***'

set objRootDSE = GetObject("LDAP://" & strForestName & "/" & "RootDSE")
strADsPath = "<LDAP://" & objRootDSE.Get("configurationNamingContext") & ">;"
strFilter  = "(&(objectcategory=ntdsdsa)(options=1));"
strAttrs   = "distinguishedname;"
strScope   = "SubTree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
If FindAll = 1 Then
objRS.MoveFirst
Else
objRS.MoveLast
End If

'***Get relative info from the group in question***

Do until objRS.EOF
    set objNTDS = GetObject("LDAP://" & objRS.Fields("distinguishedname").Value)
    set objServer = GetObject( objNTDS.Parent )
    strGC =  objServer.Get("dNSHostName")
 Wscript.Echo "Connecting to " & strGC & " ..."
 set objRSGroup = objConn.Execute("<GC://" & strGC & ">;(|(proxyaddresses=smtp:" & strGroup & _
                            ")(mail=" & strGroup & "));adspath;subtree")
 
 Wscript.Echo "Found " & objRSGroup.RecordCount & " group(s) matching that name."

 Do Until objRSGroup.EOF
   Set objGroup = GetObject(objRSGroup.Fields("adspath").Value)
   If objGroup.GroupType AND &h2 Then
    strGroupType = "Global"
   Else If  objGroup.GroupType AND &h4 Then
    strGroupType = "Domain Local"
   Else If objGroup.GroupType AND &h8 Then
    strGroupType = "Universal"
   End If
   End If
   End If
   If objGroup.GroupType AND &h80000000 Then
    strGroupType = strGroupType & " Security Group"
   Else
    strGroupType = strGroupType & " Distribution Group"
   End If
   Wscript.Echo "Group Name:" & objGroup.Name
  Wscript.Echo "Group Member Count:" & objGroup.Members.Count
  Wscript.Echo "Group Type:" & strGroupType
   For each mem in objGroup.members
    strName = mem.Get("name")
    strMail = mem.Get("mail")
    If strMail = "" Then
      Wscript.Echo strName & " has no email address."
    Else
      Wscript.Echo strName & ": " & strMail
    End If
   Next
  Wscript.Echo
 
  objRSGroup.MoveNext
 Loop
    objRS.MoveNext
Loop

Wscript.Echo "Done"

How to tell *who* is using RMS in your environment quickly.

Running the XPS System.Security.RightsManagement SDK samples - What I learned.

So I recently had a customer call me regarding the XPS SDK samples. (Make sure you setup your pre-production environment according to the SDK instructions.) I had all kinds of E_DRM_MANIFEST_POLICY_VIOLATION troubles, but here is how I got around it.

The samples can be downloaded from here:

http://download.microsoft.com/download/f/6/e/f6e32974-726e-4054-96af-9c747bf89a6e/RightsManagedPackagePublish.exe

http://download.microsoft.com/download/f/6/e/f6e32974-726e-4054-96af-9c747bf89a6e/RightsManagedPackageViewer.exe

(Make sure you have .NET 3.0 installed on your Dev box or you will get an error about the microsoft.WinFX.targets file missing (Hint: On Vista you need to turn this on through the control panel))

1. When running in debug mode you need to create a signed manifest for your app.vshost.exe, after each build. I did this by creating a .cmd file named makedmanifest.cmd with the following included in it (make sure you put all of your ISVTest certs in your output directory (i.e. /obj/Debug, obj/Release)):

Genmanifest –chain ISVTierAppSignSDK_Client.xml dmanifest.mcf manifest.xml

I created a file called dmanifest.mcf and added the following to it (which is different than what the sample docs tell you to do):

AUTO-GUID

ISVTier5AppSigningPrivKey.dat

MODULELIST
   REQ HASH RmPackagePublish.vshost.exe

POLICYLIST
   INCLUSION
      PUBLICKEY   ISVTier5AppSigningPubKey.dat

EXCLUSION

I then went into my Project >Properties>Build Events and added makedmanifest.cmd to the post-build events command line.

Also, to make things easier on myself I went to Project > Properties > Build and set the output path to \obj\Debug, to simplify the post-build command to just the makedmanifest.cmd command instead of having to put in the whole path to the file.

2. When running the standalone bits you need to replace the app.vshost.exe in the mcf, with just the app.exe. So I just created a makermanifest.cmd, and a rmanifest.mcf file that use the actual .exe that I can run when I just want to run the standalone .exe.

3. I had some manifest policy violation issues, that turned out to be a red-herring. I had to replace the TestTier certs, as the ones I was using were apparently corrupted.

4. It is probably better to use the applications path to place the manifest file in, instead of c:\. You can do this by setting something like:

String manifestloc = System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location.ToString()) + “\\manifest.xml”;

..then pass this value in the code each place (2) where it asks for the rvc.xml file.

5. If you want to use the XPSViewer that ships with the .NET 3.0 redist in a Pre-Production environment, you can go to C:\Windows\System32\XPSViewer and replace its manifest, by signing the .exe the same way we did above. Just create a .mcf file replacing the app.exe with XPSViewer.exe, and run genmanifest on it using the name of the manifest file found in the XPSViewers directory. You should be able to use this to open the output of this SDK app (or you can compile and run the viewer app).

Hope this save someone some time down the road. I didn't run the viewer SDK sample yet, but I'm sure it will work the same way.

Thanks to Pankaj one of our RMS devs for doing a sanity check, and figuring out the bad cert problem, and for being awake late at night..like I usually am.

UPDATE: I just tested the RMPackageViewer sample and, as expected, following this guide it worked well.

MERRY CHRISTMAS EVERYONE!!!

-Jason

Have a heart. Search the internet and make money for your favorite charity or school.

So here is a blog post that has nothing to do with RMS, and that I just ran into...well sadly today...and thought it was worth posting.

You can make money for your favority charity or school by simply using the live.com search engine located here http://club.live.com/searchandgive.aspx.

You have to use a search engine anyways, and this is for a good cause, so why not, and I've actually seen a major improvement in the live.com search engine, where I'm getting better results now than with the big 'G' search engine.

So while I see alot of people trying to make money for themselves redirecting traffic (sometimes in a very un-ethical manner), here is a search engine that is actually giving back.

Give it a try, you'll be helping someone else by simply trying it. You just may end up liking it as well.

-Jason