Information Rights Management Client Diagnostics Handbook ...download.microsoft.com/download/B/0/7/B07FD4D1-DDF2...The tool is used to diagnose client issues within an AD RMS environment

Information Rights Management Client Diagnostics Handbook

Legacy Platform Release

Office 365 Dedicated & ITAR-Support Plans

© 2015 Microsoft Corporation. All rights reserved.

Page 1 of 28

Information Rights Management

Client Diagnostics Handbook

(Legacy Platform Release)

Applies to: Office 365 Dedicated – Legacy Platform Releases

Topic Last Modified: 2015-07-07

The Information Rights Management (IRM) feature provided in Office 365 Dedicated and ITAR-support

plans utilizes Active Directory Rights Management Services (AD RMS) to protect content (such as an

email message or document) and to manage specific use restrictions for the content. The principal

components of an AD RMS environment include an AD RMS server infrastructure within a customer

environment and the Office 365 cloud environment, as well as IRM-supported applications on client

systems and devices.

The IRM Client Diagnostics Handbook provides general guidance to customers regarding self-service

support techniques for typical AD RMS client issues, and describes how the Office 365 Rights

Management diagnostics package may be able to provide additional diagnostic information and

recommended steps to resolve client issues. The Office 365 Rights Management diagnostics package

includes a Microsoft script that can be used to diagnose and repair AD RMS issues on a client PC. The

script is also used to collect information about the machine that’s useful for your internal service desk

and for support escalations.

The handbook is a companion to the IRM Feature Guide (Legacy Platform Release) available via the IRM

landing page in the Customer Extranet site. The feature guide includes a complete description of IRM

support responsibilities for an Office 365 customer and Microsoft.

https://sharepoint.partners.extranet.microsoft.com/sites/MMS%20Knowledge%20Base/Release%20Docs/Information%20Rights%20Mgmt/Information%20Rights%20Mgmt%20Rel%20Docs.htm

https://sharepoint.partners.extranet.microsoft.com/sites/MMS%20Knowledge%20Base/Release%20Docs/Information%20Rights%20Mgmt/Information%20Rights%20Mgmt%20Rel%20Docs.htm





Page 2 of 28

Important:

For the Office 365 dedicated and ITAR-support offerings, the Office 365 support team will only

address resolving AD RMS infrastructure issues within the Microsoft managed Office 365

environment. The customer is responsible for the support of the AD RMS components within

their environment including all client systems and devices. If your organization has a separate

support agreement with Microsoft for on-premises software products, assistance with resolving

AD RMS server and client issues may be available through this alternative Microsoft support

channel.

Important:

The Office 365 support team provides the Office 365 Rights Management diagnostics package

to Office 365 customers for use without warranty, expressed or implied. The tool is used to

diagnose client issues within an AD RMS environment managed entirely by a customer. The

diagnostics package contains a batch file (.bat) script O365RMdiag.bat which invokes binary

executable files (.exe) to establish, repair, or remove an AD RMS configuration on a client PC

system. Additional information describing each function of the tool in the sections that follow.

Downloading the Off ice 365 Rights Management

Diagnostics Package You use the O365RMdiag.bat script to diagnose and repair AD RMS issues on a client PC and to collect

information about the machine that’s useful for your internal helpdesk and for support escalations.

1. Download the Office 365 Rights Management diagnostics package (O365RMdiag.zip) from the

Customer Extranet site. (See your Microsoft Service Delivery Manager for information about how to

access the site.)





Page 3 of 28

2. Extract O365RMdiag.zip to the directory C:\temp\rms. The screen shot shows the included files and

folders.

Running the O365RMdiag Batch File On the client machine that is having AD RMS issues, you run from the command prompt the three

phases of the diagnostic script: setup, repair, and cleanup.

1. On the client machine, open an Administrator command prompt.

2. Run O365RMdiag.bat setup as shown in the following screen shot.

When you run the diagnostic tool using the Setup option, Setup performs the following tasks:

Any instances of dbgview.exe currently running are terminated

Runs IRMCheck.exe and saves the output as CurrentDRMStateIrmCheckOutput.htm

Runs dbgview.exe and saves the output as ReproWithCurrentDRMState.log

Enables the Trace registry key for IRM





Page 4 of 28

The following is an example output from a Windows 7 client.

As directed in the command output, now try to reproduce the AD RMS issue by attempting

to open the protected content on the machine. After completed, continue to the next step.

3. Run O365RMdiag repair from the Administrator command prompt.

When you run the diagnostic tool using the Repair option, the tool performs the following tasks:

Kills any running instances of dbgview.exe

Makes a backup of the DRM directory and saves it as DRM.old

Renames the DRM directory to a random directory name so that it forces the bootstrap

process to start over.

Deletes all EUL files from the DRM backup directory





Page 5 of 28

Runs dbgview.exe and saves the output as ReproWithCleanDRMState.log

Sets multiple registry values


As directed in the command output, re-attempt to open protected content to collect debug

information. This allows the tool to collect any error messages.

4. Finally, run O365RMdiag cleanup from the Administrator command prompt to terminate debug

process and to capture revised IRM configuration.

When you run the diagnostic tool using the Cleanup option, the tool performs the following tasks:

Removes any running instances of dbgview.exe

Runs IRMCheck.exe and saves the output under the filename

CleanDRMStateIrmCheckOutput.htm

Makes a backup of the DRM directory and saves it as DRM.New.

Deletes all EUL files from the DRM backup directory





Page 6 of 28


5. You can review the exported data in C:\temp\rms\RmLog, or you can include it in a zip file and send

it your escalation support team if requested.





Page 7 of 28

Working with Exported Data The following procedures assume that Office 365 Rights Management diagnostics have run on the

client machine.

Identify the Licensing Cluster Used to Protect Content The following procedure enables you to know what licensing cluster was used to protect the content. It

uses the DBGView.exe tool to view logged debug data created while using O365RMdiag. Depending on

the file type, there may be other ways to view this information, but this procedure is the most consistent

process across all file types that support AD RMS.

.

1. From the directory where the O365RMdiag files were saved, open \tools\Dbgview.exe.

2. From within the DebugView console, click File, then Open.





Page 8 of 28

3. In the Open DebugView Log File dialog, browse to the O365RMdiag directory. Navigate to and

open \RmLog\ReproWithCleanDRMState.log and click Open.





Page 9 of 28

4. Once the log file loads, click Edit, then Find.

5. In the Find dialog box, search for _wmcs/licensing and click Find Next:

This last step will provide the URL for the licensing server. Continue to search the log to make sure that

any references to the licensing server all point to the same path. If there are multiple paths, then it is

possible that multiple IRM protected files were accessed during the debug logging task when using

O365RMdiag.





Page 10 of 28

Reading the CleanDRMStateIrmCheckOutput.htm File CleanDRMStateIrmCheckOutput.htm contains the report data generated by O365rmdiag.bat. This

report can be useful in troubleshooting issues related to client configuration, registry settings, and

certificate validity.

The following example is from a client computer that is using the customer on-premises AD RMS cluster

for Certification and is using overrides to use the Office 365 AD RMS cluster for Licensing.

IRM Configuration Test

Here is an example of the configuration test report data generated by O365rmdiag.bat.





Page 11 of 28

Environment

Here is an example of the configuration test report data generated by O365rmdiag.bat.





Page 12 of 28

The following table provides descriptions of the environment checks.

Check Type Description

1. Office System You should be using at least Office 2003 SP1. Office 2003 Standard Edition can

read content, but cannot publish. All newer versions of Office support AD RMS.

2. Operating

system

If you get an error here, it usually will say that there is no signature for one of the

system files. This usually indicates that you have a corrupted signature catalog

(Catroot2). If you see an error here, you can run sigverif to verify that there is a

problem.Essentially AD RMS is a security application, which means that in order for

it to protect itself it has a manifest of all of the files that it should be working and

playing with, as well as, one it should specifically NOT be using. If one of the files

that it is supposed to be working with is not signed, then we cannot trust that file,

and AD RMS will refuse to run until it gets fixed.

3. RM client This will tell you the version of the client. If you have version RMS v1 with

Windows XP or Windows 2003, upgrade to RMS SP2.

4. Kernel Debugger Informational only.

5. Registry

overrides

For advanced setups it may be required to override the default AD RMS behavior

with registry overrides. For instance, if you have several forests that have two way

trusts, you would need to put a certification server in each forest, however you

could keep a licensing server in one forest. You would need to tell each client

where the licensing server is, which can be done through a registry key. If there is

a warning here, but you know the reason why you are overriding registry settings,

then this is not a problem. For Office 365, you could point all of your clients to

use the Office 365 AD RMS Licensing URL so that all licensing is consolidated into

a single location. This will eliminate complexities with support.





Page 13 of 28


6. Service URLs This tells you if your service connection point for AD RMS is in the Local Intranet

Zone. It is important that your AD RMS cluster FQDN (i.e. rms.contoso.com), that

you created when you provisioned AD RMS is listed in your Local Intranet Zone so

that credentials can be passed for validation. Also, the Office 365 AD RMS cluster

FQDN should be listed as well. Otherwise, it will think that this is an Internet site,

and will either prompt for credentials or fail. If you are prompted for credentials,

and you enter your credentials, you will be issued a TRAC (Temporary Rights

Account Certificate) that is good for 15 minutes. More information about where

to set the RAC and TRAC validity periods can be found here:

http://technet.microsoft.com/en-us/library/cc732630.aspx.

7. IRM manifests This is extremely rare. If you have something that is unsigned with an Office

application, you may want to scan your machine for malware. Everything should

be signed.

8. Machine

activation

This is a rare problem, but it does happen if your system DLLs are not signed. The

machine activation happens on the machine locally, so the AD RMS services aren't

really even involved.

9. User certificates If this one is failing, then the problem could be anywhere from no access to the

AD RMS server, to a problem with the SQL connection to AD RMS, to anti-virus

software being overly aggressive. The best thing to do is make sure that you can

connect to the important 4 URLs from the client’s web browser, without any errors,

pop-ups, certificate issues, and that they are listed at the bottom right of the

browser as being in the Local Intranet zone. The URLs

are:http://rms.cluster.url/_wmcs/Certification/Activation.asmxhttp://rms.cluster.url/

_wmcs/Certification/Certification.asmxhttp://rms.cluster.url/_wmcs/Licensing/Licen

se.asmxhttp://rms.cluster.url/_wmcs/Licensing/Publish.asmxIf you are having

problems getting to them, then that will need to be fixed depending on the pop-

up, or error received.

10. System clock This essentially checks the clock to see if it has been rolled back. You need to

make sure that your clock is in synch for many reasons, like Kerberos, and the

amount of time that certificates are issued for.





Page 14 of 28


11. Pending

Reboot

Reboot the computer if this lists a pending reboot.

12. Product SKU Informational only.

13. Network

Connectivity

If there is no network connectivity, you can't authenticate against the AD RMS

server.

14. Domain

Membership

This will tell us if you are connected to a domain. If you aren't then the automatic

service discovery calls that are made to find the service connection point in AD DS

will fail. In this case you will need to override AD RMS with some registry settings.

15. Temporary

Directory

Verify this directory exists.

16. Incompatible

applications

Make sure that is using AD RMS SP1 or later. Earlier versions of AD RMS didn't

support features like Virtual Machines. If you have incompatible AV software on

your system that puts itself into APPInit mode (essentially hooking the calls to AD

RMS), AD RMS may fail because it thinks that there is a malicious program trying

to steal information from the computer’s lockbox.

17. User Email in

AD

A requirement to use AD RMS is that the user account must have the mail

attribute populated. Even if they don't have a mailbox, they still need this

attribute populated, as this is what is used to check that the user matches the

person listed in the publishing license.





Page 15 of 28

Certif icates

Here is an example of the certificate report data generated by O365rmdiag.bat.

The following table provides descriptions of the certificate types.

Certificate Type Description

GIC (Group Identity Certificate This is more commonly known as a Rights Account Certificate (RAC).

This is the user certificate that is used for authentication. You can use

the IRMCheck GIC information to view when the certificate was issued

and when it expires. You can also usually determine if it is a

permanent or temporary RAC based on these dates. You should

check to see if the server that issued the RAC matches the Enterprise

Service Discovery Results information. If it does not, it could mean

that AD RMS was re-installed, or someone modified the SCP.





Page 16 of 28

Certificate Type Description

CLC (Client Licensor Certificate) This is the publishing certificate which is required to do offline

publishing (i.e the ability to create AD RMS content...not just read it).

Like the GIC, you should check to see if the server that issued the CLC

matches the Enterprise Service Discovery Results information. If it

does not, this could cause some problems with Office. In addition,

below the “Issued By” URL, the CLC also lists the licensing URLs that

will be published in every document the user creates. If there are 2

URLs, it means that you have set the Extranet URL on the AD RMS

server (the URL users with access on the Internet will connect to). If

AD RMS is failing in an Extranet scenario, you should check the CLC

for the Extranet URL. If the CLC does not have the extranet URL, then

the content the users publish will not have the extranet URL in the

Publishing License (built into the file usually) and the Extranet user

won't be able to connect to your internet facing AD RMS server.

Machine (Machine Certificate) This is the public key certificate to the private key for the machine.

The machine key used to be global to the entire machine /w V1

(another major reason to upgrade), but in SP1, each user has their

own virtual machine key. When the AD RMS server issues certificates,

they are tied to a particular machine key. The machine certificate

information in IRMCheck is usually not useful except to identify when

a client is configured to the pre-production (development) hierarchy.





Page 17 of 28

Registry Information

Here is an example of the registry information report data generated by O365rmdiag.bat.

This section of the report is for Microsoft internal support only.





Page 18 of 28

Enterprise Service Discovery

Here is an example of the enterprise service discovery report data generated by O365rmdiag.bat.

This section of the report is for Microsoft internal support only.





Page 19 of 28

Gathering Data Without Using

Diagnostics Script The following diagnostics process can be used instead of using the O365RMDiag script. The process still

requires that the O365RMDiag files are available on the client workstation.

Note:

The DRM directory will need to be modified in these examples for Windows XP clients. The path

for Windows XP is %appdata%\Microsoft\DRM.

Setup Option 1. Save the O365RMDiag files to a directory. As an example, the following commands will assume this

is c:\temp\.

2. Terminate any running instances of dbgview.exe

c:\temp\tools\kill.exe dbgview.exe

3. Run IRMCheck.exe and save the output as CurrentDRMStateIrmCheckOutput.htm.

c:\temp\tools\irmcheck.exe quiet extended -o c:\temp\RmLog\CurrentDRMStateIrmCheckOutput.htm

4. Enable the Trace registry key for IRM.

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSDRM /v Trace /t REG_DWORD /d 00000001 /f REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM /v Trace /t REG_DWORD /d 00000001 /f

5. Run dbgview.exe and save the output as ReproWithCurrentDRMState.log.

start c:\temp\tools\dbgview.exe /t /l c:\temp\RmLog\ReproWithCurrentDRMState.log

6. Reproduce the problem. Ensure that the same error occurs so that DebugView will capture it.





Page 20 of 28

Repair Option 1. Terminate any running instances of dbgview.exe


2. Make a backup of the DRM directory and save it as DRM.Old.

md c:\temp\RmLog\DRM.Old copy /y %localappdata%\Microsoft\DRM c:\temp\RmLog\DRM.Old

3. Rename the DRM directory to a random directory name.

ren %localappdata%\Microsoft\DRM\DRM_Backup_%RANDOM%

4. Delete all EUL files from the DRM backup directory.

del /f /q c:\temp\RmLog\DRM.Old\EUL*

5. Add the AD RMS Certification and Licensing URLs to IE Trusted sites.

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rms.001.d.o365.com" /v https /t REG_DWORD /d 1 /f

6. Run DebugView and save the output as ReproWithCleanDRMState.log.

start c:\temp\tools\dbgview.exe /t /l c:\temp\RmLog\ReproWithCleanDRMState.log

7. Reproduce the problem. Ensure that the same error occurs so that DebugView will capture it.

Cleanup Option 1. Terminate any running instances of dbgview.exe


2. Run IRMCheck.exe and save the output as CleanDRMStateIrmCheckOutput.htm.

c:\temp\tools\irmcheck.exe quiet extended -o c:\temp\RmLog\CleanDRMStateIrmCheckOutput.htm

3. Make a backup of the DRM directory and save it as DRM.New.

md c:\temp\RmLog\DRM.New copy /y %localappdata%\Microsoft\DRM c:\temp\RmLog\DRM.New

4. Delete all EUL files from the DRM backup directory.

del /f /q c:\temp\RmLog\DRM.New\EUL*

5. Zip the c:\temp\RmLog directory and send it to the technical escalation team.





Page 21 of 28

Troubleshooting IRM Error Messages The reference tables in the Working with Exported Data section provide you with a starting place for

troubleshooting IRM client error messages, but they may not resolve the issue that you are

experiencing.

The following information about error messages can provide additional help in troubleshooting client

errors. The information is based on the experience the Microsoft AD RMS team has gained with the

internal AD RMS deployment at Microsoft and various external deployments that the AD RMS team has

assisted with.

Error Message: This service is temporarily unavailable This service is temporarily unavailable.

Microsoft Internet Explorer may be set to work offline. In Internet Explorer, verify that work offline on

the File menu is not selected, and then try again.

Probable Cause

The AD RMS server failed to respond to a licensing request.

Troubleshooting

1. Verify that the client computer has network connectivity

2. Run Office 365 Rights Management diagnostics.

a) Open cleandrmstateIRMcheckoutput.htm

b) Under heading “The Enterprise Service Discovery results”, search for RM Certification Service

c) Copy the URL and paste it into the browser’s address bar, and then append

/certification.asmx.

d) For example: https://rmscert.contoso.com/_wmcs/certification/certification.asmx

e) Within .htm file, search for RM Client Enrollment Service, copy URL, paste URL into browser

address bar, and append /license.asmx.

f) For example: https://rms.999.d.office365.com/_wmcs/licensing/license.asmx





Page 22 of 28

g) Confirm licensing server URL (i.e. rms.999.d.office365.com) is listed in your Local Intranet

Zone so that credentials can be passed for validation. Network connectivity to the licensing

server is required.

h) For the above URL checks, there are other basic troubleshooting steps that may be needed

such as ensuring that the client can route to the destination servers; there are no firewalls

blocking connectivity; and the destination server has a valid Certificate and the CRL is

reachable by the client.

3. Escalate to Microsoft support to determine if this is an on-premises issue or an Office 365 service

issue.

Error: A problem occurred while contacting the

restricted permission service A problem occurred while contacting the restricted permission service. Please try again later or

contact your administrator for more details.

Probable Cause

The AD RMS server returned an error. This issue can occur when client activation is attempted through

the RMS server’s activation proxy, but the AD RMS server does not have an Internet connection. It has

also been encountered when the client computer submits an expired RAC to the server.

Troubleshooting

1. Run Office 365 Rights Management diagnostics

2. Review output and follow the support escalation process if needed.





Page 23 of 28

Error: Cannot use this feature without credentials Cannot use this feature without credentials.

Probable Cause

The AD RMS client was not able to acquire a RAC for the user. This occurs when the user does not have

a RAC and the Information Rights Management (IRM) feature is configured to use silent certification.

Silent certification does not query the user for permission to request a RAC, but does so behind the

scenes using the credentials of the logged in user.

This issue has been seen when the user’s account in Active Directory does not have an email attribute

value or when the user abruptly cancels the request during the silent certification process.

Troubleshooting

1. Check the Active Directory Domain Services (AD DS) account of the client for an email address,

system lockouts, and other settings that may prevent the user’s credential from being validated.

2. For Office 365 Exchange Online users, the following mail attributes need to match between Office

365 AD DS and client AD DS: mail and proxyAddresses

3. Client must be able to log into O365 environment successfully.





Page 24 of 28

Error: Cannot verify user information at this time Cannot verify user information at this time. Contact your administrator if this problem continues.

Probable Cause

The AD RMS server returned an error during user certification.

Troubleshooting


2. If you are unable to open content, open RMlog\CleanDRMStateIRMcheckOutput.htmand look for

any errors or warnings.





Page 25 of 28

Error: You do not have permission to use this service You do not have permission to use this service.

Probable Cause

The certification request from the client was denied by the AD RMS server.

Troubleshooting


2. If you are unable to open content, review CleanDRMStateIrmCheckOutput.htm on the client

computer look for any errors or warnings.





Page 26 of 28

Error: Your permission has expired You do not have permission to open this document because your permission has expired.

Probable Cause

The rights assigned to your account by the document author have expired.

Troubleshooting

Request a copy of the document with updated permissions that allow you to open the document.

Error: You do not have credentials that allow you to

open this f ile You do not have credentials that allow you to open this file. You can request updated permission

from [email protected]. Do you want to request updated permission?

Probable Cause

None of the RACs in your user profile match the accounts specified in the Publishing License for the

content.

This can occur if the account membership for a user has changed but the RAC has not been

updated.

More commonly, the user was not included in the permissions list by the author of the document.

Troubleshooting

1. If user was recently added to an AD DS distribution group, allow two hours to pass to allow the AD

DS cache of AD RMS to refresh and request that the user try to re-access the content.

2. Request an updated version of the document from the author. The author must add the user to the

list of people with rights to the content and republish the document.






Page 27 of 28

Error: An unexpected error has occurred while trying

to restrict permission An unexpected error has occurred while trying to restrict permission to your document. Contact

your administrator for assistance.

Probable Cause

The client licensor certificate may be missing, corrupt, or otherwise invalidated.

Troubleshooting


2. Try to create AD RMS-protected content. This will cause the client to repeat the request for a new

client licensor certificate for the user.





Page 28 of 28

Outlook Specif ic Error Messages Error: Outlook was not able to create a message with restricted permission.

Probable Cause

The client licensor certificate might be missing, corrupt, or otherwise invalid.

Next Steps

1. Confirm that the client can reach the Licensing/Licensing.asmx web service for the AD RMS server.


3. Review CleanDRMStateIrmCheckOutput.htm on the client computer to confirm the validity of the

client licensor certificate.

Error: Your Information Rights Management Configuration for the user account is invalid.

Your Information Rights Management Configuration for the user account [email protected] is

invalid. The service must verify your credentials again before you continue. If prompted, enter the

username and password for [email protected].

Probable Cause

The rights account certificate (RAC) or client licensor certificate is invalid. This can occur when the

computer has been reactivated but the previous RAC was not deleted or replaced.

Next Steps

Run Office 365 Rights Management diagnostics.

Documents

Information Rights Management Client Diagnostics Handbook ...download.microsoft.com/download/B/0/7/B07FD4D1-DDF2...The tool is used to diagnose client issues within an AD RMS environment