Just a quick post to advise Microsoft has now released a KB to remove the application manifest expiry feature in AD RMS. The reason for this is that this legacy feature was previously used to confirm that applications accessing or creating RMS protected content were to be trusted.

This was done by applications being signed by application signing certs issued by MS. Once the application signing cert expired the application would no longer be trusted to open or create RMS protected content until it was renewed with application updates, which would cause problems and errors between expiring signing certs and application updates!

This can now be controlled by the system administrator rather than by signing certs, administrators can now define applications, or older versions of applications as untrustworthy themselves.

The update to remove this feature is KB979099 where the update can be found for all RMS client operating systems.

We came across this issue today, where we were unable to access a Servers ILO due to someone leaving the remote console session open.

The following error was displayed

Remote Console is unavailable. It is already in use by a different client

We needed to access the servers ILO pretty quickly, so we had to end the other users ILO remote control session.

To do this do the following.

1, Go to System Status on the homepage and select diagnostics

2, Now press reset which will reset all connections to the ILO and then enable you to access the remote console on the ILO

Daniel Davies

I came across this issue when trying to upgrade to SQL 2008 sp1, where one of the checks failed and would not allow me to update. The check was  “‘Reboot required ” .

Solution

1, Open Regedit

2, Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

3, Go to the properties of the following DWORD Value “PendingFileRenameOperations”

4, Remove any data in this value (so this is blank)

5, Do the same again for the following keys

HKLM\SYSTEM\CurrentControlSet001\Control\SessionManager                                                     HKLM\SYSTEM\CurrentControlSet002\Control\Session Manager

6, Attempt to rerun the checks and all should be ok

RMS secures data using certificate key pairs, however it does not require PKI which is a common misconception. PKI can be very useful alongside RMS for securing communications between client and server etc however it is not a requirement. The certificates used in RMS are in XrML (Extensible rights Markup Language), those you should be aware of are as follows:

Server Licensor Certificate – This is the certificate created when RMS is installed on the first server in a cluster, it is a unique certificate to identify itself. If further servers are added to the cluster then the SLC is shared with these. By default in a root cluster this deals with certification by issuing RAC’s and licensing protected content. In particularly large implementations additional licensing servers can be installed which have their own SLC

Machine Certificate – This is created the first time that a RMS aware application is used and is tied to the hardware of the machine as well as the user login, so multiple Machine certificates can exist on the same machine if multiple users use it. As well as the machine certificate machines receive a unique Lockbox. The Lockbox contains the machines private key and the machine certificate contains the machines public key so the Lockbox is central to all encryption and decryption.

Rights Account Certificate – This is the certificate which identifies a user and a standard RAC is associated with the computer that the user is logged onto. The SLC issues a RAC to the client the first time they attempt to consume RMS protected content. The RAC contains the key pair and the private key is encrypted by the public key of the machine certificate.

Client Licensor Certificate – The CLC is created by the root cluster and sent the the client when they try to protect content using RMS aware apps. They have to be connected to the network to receive this but it grants them the right to publish content, even when not connected. Same as the RAC the CLC contains a key pair, its private key is encrypted by the public key of the user who requested it (their RAC) It also contains the public key of the cluster which issued the certificate which is signed by the private key of the cluster. The private key of the CLC signs any Publishing Licences it creates

Publishing Licence – The PL is created when a client right protects content and specifies what users have access and what access they have. It contains a symmetric key to decrypt the content which is encrypted by the public key of the cluster which issued the PL.

Use License – This is presented to a client when they attempt to access rights protected content and contains the rights of the authenticated user requesting access. This is tied to the RAC (which identifies the user). The PL will be sent to the Root Cluster along with the users RAC and if access is allowed the cluster will decrypt the symmetric key using its private key and then re-encrypt the symmetric key using the public key of the user. The user will then be able to decrypt and use the rights they have been granted to access the data.

Heavy stuff but hope this can make a little more sense and show how robust AD RMS actually is! Hopefully will follow up with some more information on integration with some well known MS technologies such as Exchange and SharePoint in the near future…

Active Directory Rights Management Services is a very powerful and useful product to use for protecting sensitive and confidential data, however many people are unaware of the capabilities it has. I hope in this post to give a very high level view of what it can do and follow up with some more architectural lower level blogs for those more interested

It is recommended that an RMS install uses a SQL database on a separate machine to store all logging information, Configuration information etc. Once the RMS role is installed on a member server then a SCP (Service Connection Point) is published in AD so that whenever a user tries to protect/consume data using RMS aware applications they know where to go to get certified or licensed for this.

On the client side an RMS Client is required. Operating Systems from Vista onwards include the client in the default installation however for earlier OS’s the client can be downloaded from Microsoft. As RMS is reliant on IIS and is a web based technology the client requires an email address attribute in Active Directory as this is what RMS uses to identify users. This does NOT mean that you need exchange or any kind of email system installed internally.

When a user attempts to consume content for the first time they will receive a machine certificate as well as a Rights Account Certificate to identify them, this will check the publishing licence to see if they have access and what access they have and then send them a use licence based on this. When they first try to protect content they must be connected to the network to receive a Client Licensor Certificate which allows them to publish content, however once they have a CLC they can protect content offline. All these certificates are stored in the users profile in XrML format.

When a user tries to protect content they have two options, they can either set manual permissions, or select from templates that can be created on the Root Cluster. As well as permissions you set conditions, some of these include allowing the ability to print, forward or when you want the content to expire and therefore be inaccessible (Microsoft is currently working towards automatic protection and this is implemented to a degree in SharePoint 2007 and very well in Exchange 2010, will hopefully go into more detail in a later post!)

Currently RMS aware file formats include the Office suite (excluding One Note) and xps although additional IRM protectors can be downloaded from 3rd party sites to support protection for hundreds of file formats, very cool stuff!

See my next post for more information on the RMS Certificates.

After downloading and attempting to install the French language pack for Exchange 2010 UM I was less than pleased to the receive an error:

It took me a few moments to digest what was occurring but after reading the error (always a good start) and looking through the Exchange setup logs ([ERROR] Could not find a part of the path ‘C:\Support\UM,Language,Packs\fr-FR’), it would appear that if the Language Pack is in a folder that contains spaces it will not install.

If you look at the error above you will note that the spaces in my folder name have been replaced by comma’s ‘,’.

Resolution

Remove the spaces in the folder containing the Language Pack

Neil Cruickshanks

We came across this issue last month after patching our SharePoint servers, after all the servers came back up after reboot , users tried to upload a document  onto a specific site within our SharePoint and they didn’t have any option to at all, no matter what account we were logged in as it was not possible.

It was actually not possible to make any changes to the specific site at all, however we had 2 different SharePoint sites on this SharePoint server and they were fine.

The issue in the end was that the website had got locked down into read-only mode and we just had to simply change this to not locked.

Resolution

1, Open up Central Admin

2, Go to Application Management

4, Open up ‘Site Collection Quotas and Locks’

5, Change the site collection to the site your having trouble with and simply change the site to not locked.

6, Now change the lock status to not locked and ok this change and your site should be fully functioning again

Daniel Davies

You may come across an issue where you need to Migrate Multiple Mailboxes in bulk, we’ve created a Exchange Powershell script which will move all users into there targeted mail stores.

Instructions

Before we run this powershell script  we need to create a csv file with the users display name and there targeted exchange database, to do this see below.

1, open notepad.exe

2, now write the following text on your first line in notepad “user,database” (without quotation marks)

3, Go to the next line and then type a users name  first and then add a comma and finally type the desired store.

4, You should end up with a list like below with all the users you want to import

user,Database
Jovan Davis,Store 3
Daniel Davies,Store 2
Hardeep Bains,Store 1

5, Finally save the file as a csv file and name it “MM.csv” in the following directory “C:\MailboxMove””

6, Now open notepad again and copy all the below text into it. Finally save this as a PS1 file and run this via the Exchange management Shell.
_________________________________________________________________________

$Userstodatabase = import-csv C:\MailboxMove\MM.csv
foreach ($Record in $Userstodatabase)
{
$users = $record.user
$database = $record.database
New-MoveRequest –identity $users –TargetDatabase “$Database”
}

____________________________________________________________________________

This will now move the mailboxes

If you want to check the status if the moves simply copy the below script into a PS1 file and run it from the exchange shell and it will list the progress of all users mailboxes specified in the CSV.

____________________________________________________________________________

$Userstodatabase = import-csv C:\MailboxMove\MM.csv
foreach ($Record in $Userstodatabase)
{
$users = $record.user
Get-MoveRequest –identity $users
}

___________________________________________________________________________ 

Hope this helps

Daniel Davies