One of the RMS product group members, Peter Gilson, put together this ADRMS logging tutorial. I asked him if I could post it to my blog, and promised that I wouldn't pump it up, or make crazy unfounded claims about what is contained within this video.
So without further ado, Ladies and gentlemen, the number one best tutorial EVER produced in the WORLD on the topic of ADRMS logging. You could search your entire lives for a video of this caliber, and would go with your thirst for knowledge unquenched. In fact, this video is so hot, you need to wear SPF 90 so you don't get burned. The compilation of Quentin Tarantino's work, pales in comparison to what you are about to watch. Please stand and recognize true genius!!
OK. So maybe that was a bit much (sorry Peter), but it is the best video on ADRMS logging available anywhere.
(Warning: This video is 383 MB, so you may want to right click and save it locally.)
ADRMS Logging Tutorial
-Jason
As I'm sure many of the people subscribed to this blog have realized, it is important to be able to discover the validity dates in your application manifests to determine if and when a particular cert-chain will expire so you can take appropriate actions prior to the chain expiration.
Here is a tool that you can use to accomplish that task (Disclaimer: This tool is completely unsupported so use it at your own risk.).
GetCertChainDates
Instructions for GetCertChainDates
Pre-requisites:
· Microsoft .Net Framework v2.0 or above.
Usage instructions:
· Copy the GetCertChainDates.zip to your machine and extract the GetCertChainDates.exe tool
· From a command line use GetCertChainDates as follows:
o GetCertChainDates.exe <path_to_manifest_file>
or
o GetCertChainDates.exe -s <location_to_search>
· Example:
o GetCertChainDates.exe OLKIRM.XML
or
o GetCertChainDates.exe -s "c:\Program Files"
How to read the output of the tool:
Example output:
|
|
ValidUntil |
|
Cert 0 |
2017-01-01T00:00 |
|
Cert 1 |
2017-07-10T21:38 |
|
Cert 2 |
2015-06-01T22:57 |
|
Cert 3 |
2015-11-29T21:30 |
|
Cert 4 |
2015-11-26T23:49 |
The earliest date in the ValidUntil column is the date when the manifest will expire and the application will no longer be able to access/create AD RMS protected content.
Hope this tool is usefull for people.
-Jason
=================================================
UPDATE:
The following patches are available to correct the issue noted below.
For now you need to call support (1-800-936-4900) and reference one of the below KBs to obtain them, but it will be a no-charge incident. Keep in mind that you *must* be up to Office 2003 SP3 in order to install these hotfixes.
=================================================
This was taken directly from the Office SE teams website:
http://blogs.technet.com/office_sustained_engineering/archive/2009/12/11/cannot-open-office-2003-documents-protected-with-rms.aspx
Starting on December 11, 2009, customers using Office 2003 will not be able to open Office 2003 documents protected with the Rights Management Service (RMS) or save Office 2003 documents protected with RMS. The following error message may be displayed when attempting to Open RMS Documents using Office 2003:
"Unexpected error occurred. Please try again later or contact your system administrator"
This symptom affects Office 2003 products used in conjunction with RMS, including Word 2003, Excel 2003, PowerPoint 2003 and Outlook 2003. It does not affect Office 2007.
We are working to resolve this issue as quickly as possible and we will provide customers a solution as soon as we can. Any new updates and we will post the information here.
Thanks.
Jason
Additional Info
=========================
I've had people ask me how they can determine the expiration date of the manifest files after they update. Here are the steps you can do if you so desire: For this example I'll use the EXLIRM.XML file located in C:\Program Files\Microsoft Office\Office12 (I'm using the files in 12 because I don't have 2003 installed..but its the same process)
1.) Save the manifest file to another location
2.) Edit the XML file (the one you moved) and remove the <?xml version="1.0"?><CERTIFICATECHAIN> from the beginning.
3.) Go to Edit>Replace
4.) In the Find what: box enter <CERTIFICATE>
5.) In the Replace with: box enter -----BEGIN CERTIFICATE-----
6.) Hit ‘Replace All’
7.) Go to Edit>Replace
8.) In the Find what: box enter </CERTIFICATE>
9.) In the Replace with: box enter -----END CERTIFICATE-----
10.) Hit ‘Replace All’
11.) Remove the </CERTIFICATECHAIN> entry from the bottom of the XML file
12.) Save the file
13.) Go to a command prompt and type certutil –decode exlirm.xml output.xml (I'm using Windows 7 which has certutil installed by default)
14.) You can then open the output.xml file in notepad and see the expiry dates in the <VALIDITYTIME> tag at the beginning of the file
This will get the date you are looking for. If you want to go through the whole chain, go back into the manifest file, and remove the first -----BEGIN CERTIFICATE----- and ------END CERTIFICATE---- chunk, and run the command again. Keep doing this till you get to the last chunk. I should probably write a script to do this.
Ok. So it appears all kinds of funkiness with the passport service has caused problems with any organization that has decided to trust Passport based RACs. So....in order to correct the problem, you will need to re-apply that trust to your RMS installation, so you can obtain an updated TUD cert from the Passport service. Please note that the Passport service is the only TUD cert with an expiration, so you will have to do this again a few years from now.
Here is the quote from the owners of the Passport service:
We have recently become aware of an issue with Enterprise RMS servers that have established trust with Passport RACs. Some Passport users may have trouble opening RMS protected content that were sent to them by Enterprise RMS customers.
Please note that this issue is unrelated to the recent update to the Microsoft Information Rights Management Trial Service, and does not apply to Enterprise RMS customers who have not established trust with Passport RACs.
We have isolated the cause of this issue to certain certificates that have expired validity times.
To resolve this, simply remove trust with Passport RACs, and re-establish the trust. "
Here are the steps to do that.
Here are the documentation links for W2K8 & W2K8 R2:
AD RMS Admin Console in W2K8 & W2K8 R2: http://technet.microsoft.com/en-us/library/cc753056.aspx
PowerShell for W2K8 R2: http://technet.microsoft.com/en-us/library/ee221037(WS.10).aspx
Here are the steps for RMS V1.
1. On the Global Administration page click “Administer RMS on this Web site”.
2. Click the “Trust policies” Administration link.
3. On the Trust policies page, check the “Microsoft RM Certification Service” Trusted User Domain checkbox and click “Remove each selected trusted user domain”.
4. Click the “Trust Passport RACs” button to import the new Certificate.
Thanks.
Jason
Hey check it out. Apparently we released some new videos surrounding ADRMS:
http://edge.technet.com/Tags/RMS/
Coolness!
-Jason
UPDATE: 12/2/2009 - Patch is applied. Everything should be back to normal. The Microsoft PG worked through the holidays and everything on this to get it fixed and applied. This was a really quick turn-around given the complexity of the fix. Thanks for the dedication!!
UPDATE: I just received word that the product group is in the testing phase of this fix, and the ETA for delivery is tomorrow, 12/2/2009.
If you are one of the customers who is using the online Passport RMS service to protect some of your content, you may have noticed that you are unable to open content.
I received this message from the product group at Microsoft.
We have recently become aware of an issue with Microsoft Information Rights Management Trial Service. Some users may not be able to open protected content that use this service. Please note that Enterprise customers using their own internal RMS 1.0 and AD RMS infrastructure are not affected by this issue.
We have isolated the root cause of this issue. To resolve this, we need to make a change to the Microsoft Information Rights Management Trial Service. Please rest assured that your content will continue to be accessible after this change is in place.
It is the RMS team’s top priority to bring this issue to resolution. We will need to devote additional development and test time to ensure a high quality fix . We estimate that we can address the issue which requires the development and testing of a fix within the next few weeks.
We sincerely apologize for the disruption this issue has caused and will provide any updates ASAP.
So there you go. Directly from the mothership. I'll keep everyone posted as to any new developments as they happen.
-Jason
I know it was about a year ago, I promised that I would put up some training materials for ADRMS. Well I will be teaching some support engineers at Microsoft about ADRMS, and how to support it. Part of this class (which will be available to customers at some point) contains lab materials. I recorded myself going through most of the lab materials, and explaining what I was doing along the way, so I could time them, and make sure the environment was working properly.
I screwed up a couple times during them, and the audio lags a bit in the demos (I used Demo Builder), but if you are self-loathing and want to watch me go through this lab environment and be annoyed by my voice for a few hours, here they are.
First Demo:
Doing it all wrong - So to train CSS engineers, you need to be able to show them how someone can completely screw up an environment, so they know how to help people back out of it, and get into a 'best business' state. So I show you how to screw up your environment in this one, including how to activate a MOSS server against RMS...even though you will need to re-do it once we fix things.
Second Demo:
Why this is wrong - In this demo we discuss why setting up your environment as previously discussed is "bad", and show some examples.
Third Demo:
Correcting the problem - In this demo. I show how to back out of this bad state, and still be able to open content created against the old installation, while working with new content.
Fourth Demo:
Correcting the other problems - In this demo I show you how to clean up other problems you may have left over from the incorrectly deployed environment. We fix your MOSS environment in this one.
Fifth Demo:
RMS Templates - In this demo, I show you how to create RMS Templates, discuss why you should use templates, and how to deploy them. I also show how to speed up your demo environment, with a GPO setting one of the PG members gave me, that corrects a certificate chaining issue you'll have when using RMS in an environment with no internet access.
Sixth Demo:
Other ADRMS Features - In this demo I discuss RAC policies, Exclusion Policies, Security Policies, and the other creepy things that exist in ADRMS.
Seventh Demo:
ADRMS Super Users - In this demo we discuss super users, how to set it up, and why you would need them.
Eighth Demo:
ADRMS and Exchange 2010 - In this demo I show you how to IRM Enable Exchange 2010, to allow OWA IRM functionality, as well as Transport Rules. It is still in beta, but you can download it from the MSDN and start playing with it. I don't cover *all* of the IRM functionality like journaling, and E-discovery, but we cover the activation.
Ninth Demo:
ADRMS and ADFS Integration - In this demo I show how to setup an ADFS trust with another forest, and setup ADRMS to use this trust do users in forests with no ADRMS server, can create and consume content with your organization. I run into a few problem with this lab, because I forgot to add the 'fast' GPO setting, and one of my user rights on the RMS server blew chunks...but hey...you need to know what to do right?
I need to add two more to complete this. Group Expansion Across Forests, and Windows Mobile. I'll be adding those next week.
Hope this helps someone.
I just registered IPCGodz.com so if you can get to it today, it should be ok within 24 hours.
Thanks.
Jason
Congratulations to the bulk protection tool team for getting this tool delivered ahead of schedule.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd
This tool can be used to perform E-Discovery of content for litigation or audit purposes, safeguard existing sensitive information on company shares, and also works in conjunction with the File Classification Infrastructure (FCI) feature in Windows Server 2008 R2 to classify and protect company sensitive information. Customers have been asking for this for ...well... as long as I can remember.
So go get it, and try it out.
Have Fun.
-Jason
For all those interested in best practices for ADRMS Performance and Logging, check out this technet section.
http://technet.microsoft.com/en-us/library/dd941633(WS.10).aspx
-Jason
For anyone that didn't know Microsft has released a *free* Anti-Virus, Anti-Spyware/Malware application that you can stick on all of your home machines.
I am running it on all of mine at home, and it works great. The best kind of AV product is one you don't know is there....until you need it.
http://www.microsoft.com/security_essentials/
Check it out.
-Jason
For those of you that don't know, the ADRMS development team actually has their own blog. They have been posting articles out there with some good information, and it is an 'official' ADRMS blog, unlike mine, which is just a bunch of crazy ramblings I've put together in the early morning hours so I have a public repository of things I need to remember. Plus, I'm not allowed at the local stand-up comedy club anymore. Those people just don't appreciate the humor of someone installing ADRMS on a Domain Controller, that only my audience here does.
Plus...when you make comments on their blog, it actually goes to the team that is writing and designing the product. If there is something you want to see in the product, or something you don't like and would like to see changed, or if you just want to write a long story about how ADRMS helped you survive your horrific life-altering ordeal in the Australian outback, you can rest assured that the team responsible for ADRMS will be reading it. Not that I don't love those stories, and all of the comments and questions I get, but now you have *two* places to ask, and as I always say 4-1/2 heads are better that 2-1/4.
ADRMS Team Blog
UPDATE: Rather than waste a whole new post to tell people this I'll post it here. I just put *all* of the click-through demos I have in my previous click-through post. http://blogs.technet.com/rmssupp/archive/2009/02/04/click-through-demos-they-re-the-cats-pajamas.aspx . You're welcome.
-Jason
So....it appears that President Obama has been reading my blog...
O.K. I made that part up, but it was pretty exciting to watch his speech today on cyber security (..not sure when I turned into a total nerd).
The whole speech I was just saying to myself "ADRMS would prevent that...ADRMS would prevent that...ADRMS can do that...ADRMS would cover that", and even a few "Forefront Security would prevent that". Heck they'd solve 90% of their problems if they went and visited microsoft.com/security, or microsoft.com/ida.
I wonder who the new 'Cyber Czar' will be. I don't know that I'd like to have that job. You've got 10,000,000 hackers that will attack you non-stop to make a point. In fact, I'd be willing to gamble that shortly after the announcement, you'll see something like "Cyber Czars e-mail hacked" in the news. I'd almost be willing to gamble that the hacker community will know who the new Czar is, before the new Czar does. (Unless of course they are already using ADRMS..then the odds are in favor of the Czar.). <g>
So my tip for the day to the president and his staff. Make sure you secure all of your e-mails and data regarding this announcement with ADRMS (you should be doing it for everything anyways), and make sure the people exchanging this data are using secure systems with good passphrases and/or secure smart cards. You *really* don't want the hacker community announcing things related to your cyber security plans before you do. That would be a BAD THING®. There is even a few ADRMS solutions for your blackberry, although you really need to start thinking about getting yourself a Windows Mobile phone.
Gimme a call...I might know some people that can hook you up. ;)
-Jason
Consider this scenario.
Customer has two forests.
Resource Forest (RFCOM) - Houses resources like RMS and MOSS.
Account Forest (AFCOM) - House all of the user accounts.
Situation: Customers wants to have *one* RMS cluster housed in the resource forest. Has a one way trust where the resource forest trusts the account forest (for some other applications including MOSS auth (although I think MOSS will work with ADFS as well)). Wants to use ADFS to do SSO to ADRMS server to get content served by MOSS server in the resource forest.
Problem: In order to use ADFS with ADRMS there typically needs to be *no* trust between forests. The way that the RMS client works, is that it will try to obtain a RAC via the standard Windows Auth pipeline (https://rms.rfcom.com/_wmcs/certification/certification.asmx). If this fails, it will use the ADFS token pipeline (https://rms.rfcom.com/_wmcs/certificationexternal/certification.asmx), and pass the ADFS server specified in the FederationHomeRealm registry key. The RMS server *has to* reside in the same forest with MOSS since there is no ADFS pipeline for service accounts.
If there is a one way trust then the user will legitimately be able to get to the Windows Auth Pipeline through IIS. This is a problem, because the return code is 200 (which means OK), although the RMS server will reject the request from a user in another forest to this pipeline, because it expects to find the user in its own forests AD. This puts the RMS client in a bad state. It simply thinks the RMS server has rejected the request, and cries about it with an error message.
So we have a few options.
Solution 1: Remove the one-way trust. If you remove the one-way trust, then IIS will not authenticate the user to the Windows Auth certification pipeline, and the RMS client will automatically roll over to the ADFS tokenized pipeline.
Solution 2: (The one we used). We went to the properties of C:\Inetpub\wwwroot\_wmcs\certification\certification.asmx, and added an ACE to the security tab for the 'AFCOM\Domain Users' group, and gave it explicit *deny* permissions. This forces all clients in the AFCOM forest to rollover to the ADFS certification pipeline.
Solution 3: Setup a RMS cluster in the account forest, and then export the SLC from the AFCOM forests RMS server, into the RFCOM forests RMS server as a TUD (Trusted User Domain).
Anyways, option 2 worked for this customer. Any forests that he now adds to his forest that have a one way trust, he just needs to add a deny ace to the certification.asmx file for the 'domain users' group of that forest. We also added an SCP to the account forest with the cluster URL of the resource forest, so that all of the clients in the account forest would auto-discover the ADRMS service without needing registry overrides.
ADRMS is a pretty flexible product. Even though every single possible environment situation isn't documented, doesn't mean that with a little playing around you can't get just about any situation to work (within the support boundaries...and sometimes outside of them. <-- I didn't just say that. :)).
-Jason
I recently got a call from a customer having problems opening content from the internet using the Passport Trust option of RMS. Looking at the DebugView Logs RMS was returning an error code of 8004CF3B. So I look up the error in my handy-dandy technet:
http://msdn.microsoft.com/en-us/library/bb204613(VS.85).aspx
E_DRM_NO_CONNECT. Hmmmm...
So I had him try to access the licensing pipeline URL from the machine, and...it connects no problem. <<There's something on the wing....SOME...THING!!!>>
Certificate looks good, but it is a... internal CA cert.... Hmmmm...
Let's disable CRL in I.E.s settings (Tools>Internet Options>Advanced>Security | Uncheck both certificate revocation validation options).
Wallah..it works. So, morale of the story. Vista doesn't like it when you use an internal CA certificate, externally, when you have these options checked, and you are trying to use RMS. Use a Verisign or GoDaddy cert instead. XP doesn't seem to be bothered.
Whodathunkit?
-Jason
UPDATE: A buddy of mine, Barclay, pointed out that the other option is to expose your CRL Distribution point externally. Duh!!
Welcome to the party Foxit!!!
http://www.foxitsoftware.com/announcements/2009487743.html
http://www.foxitsoftware.com/rms/
I expect we will see alot more of this from alot more vendors soon. The trend is showing that customers are no longer *requesting* their application providers protect their content. They are *demanding* it. If you are writing software that allows customers to create sensitive data, be warned. You should definitely get on the IRM integration bus before you get run over.
Long live Jimmy!!
ARE YOU IRM EXPERIENCED???
http://www.microsoft.com/windowsserver2008/en/us/ida-information-protection.aspx
Trippy Tip: Use the live translator link at the top of my blog to translate this post to a different language. You will get a split screen page. Turn your speakers up and enjoy the Jimmy Hendrix Experience!!!
