I have AD RMS 2012 Server, its working fine by applying restricted Templates/Permissions on OWA, Outlook & other MS Office Tools (Word Excel, PowerPoint).
But the AD RMS Templates/Permissions [Option] is not visible at Windows 8 Mobile Device.
Where on Android OS in Samsung Galaxy phone is working fine. I am not able to fix this issue yet.
I request you please help me to resolve this issue ASAP.
We are trying to Apply RMS protection to a File Server that contains non standard Microsoft files such as PDF, TXT etc. I've found an article which talks about using PowerShell and lists the commands in the article below. The article also says that the cmdlets aren't valid for tenants outside North America. We are outside North America and want to be sure that the authentication issues are related to the tenant location.
https://msdn.microsoft.com/en-us/library/azure/mt433195.aspx
"Get-RMSServer : The operation being requested was not performed because the user has not been authenticated. HRESULT:
0x800704DC"
If this is the case, what other workarounds do we have to encrypt files that non standard files on a File Server?
thanks
Glen
Hi, I'm trying to prevent specific accounts from having the ability to logon to any PCs in the domain. What I did in general are:
1) Create an OU named "Users - No Logon" and place the users I don't want to allow logon interactively in this OU.
2) Create a Security Group named "Users - No Logon" and place the users I don't want to allow logon interactively into this Group.
3) Create a GPO named "GPO - Users - No Logon" under the OU "Users - No Logon" and add the Security Group "Users - No Logon" to Windows Settings\Security Settings\Local Policies\User Rights Assignments\Deny logon locally.
Basically the steps matches what are suggested in the following article. However, the accounts added to the Security Group "Users - No Logon" even after multiple log on / log off and reboots.
http://windowsitpro.com/security/service-accounts-can-be-secure-yet-have-non-expiring-passwords
Any ideas what I have done wrong?
Hi all,
All my client can't connect to AD RMS Server (Win 2008 R2 SP1), error like this :
This service is temporarily unavailable. Ensure that you have connectivity to this server. this error could be because you are working offline, your proxy settings are preventing your connection, or you are experiencing intermittent network issues.
From the client I have configure URL to local trust site, can ping the server, can access the url RMS, IE online.
what could probably wrong ?
Hi all,
At the moment I am trying to wade through the mirk to understand what is the correct answer to this simple question:-
"Will Office Web Apps render AD RMS protected documents?" - this is the on-prem' versions of OWA and AD RMS...
Thats it, but the PoC deployment seems to confirm that it doesnt, but the official MS Office stance is that it does but will always display in READ mode with no other options. Yet when we try to open any RMS document there is a popup prompt indicating this to be RMS enabled and to open it in Word. We do understand that it is better in Word, as the security is better in as much as you cannot take screen grabs of this, but you can in the browser, but there are instances when Browser is the only option.
If anyone can shed any light, and if MS moderators read this it would be great top get official feedback too.
Thanks
Phil
I try to install AD RMS or error but later. Help me how to fix them
EROR: Warning: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is automatically updated, turn on Windows Update in Control Panel.
Active Directory Rights Management Services: Installation succeeded with errors
Error: Attempt to configure Active Directory Rights Management Server failed. The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory
but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again. at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy()
at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String
keyContainerName)
at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll()
at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run()
at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision()
at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data)
at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
Remove and re-install AD RMS to attempt provisioning again.
Warning: Before you can administer AD RMS on this server, you must log off and log on again.
The following role services were installed:
Active Directory Rights Management Server
Web Server (IIS): Installation succeeded
The following role services were installed:
The connecting with local AD RMS administration service failed because the value of "AdminLocalConnectionPoint"
under registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\2.0" was invalid.
Hi Experts,
We are using domain server 2003
1. When user in system admin OU is logged in to the windows 7 PC then mouse click control is working fine.(File /folders open in double click)
2. But When user in other OU like with network /without network is logged in to the windows 7 PC then mouse click control is abnormal.(File /folders open in single click)
One more condition found:
3.User in Non-System admin OU like with/without network when login first on any windows 7 machine then mouse control is working fine. (File /folders open in double click)
But
When User in Non-System admin OU like with/without network already logged in on his/her own machine from earlier then mouse control is abnormal (File /folders open in single click).
Hemendra
Adding AD RMS to a 2012 Standard server. At the point where it wants a service account. I tried numerous accounts and it would give me the same error on all of them "Invalid credentials were presented. Verify the correctness of the provided password."
I tried more and less complex passwords with no change. If I used a non-existant user name it would throw a different error so I know it's not that.
I was able to get it to take the Domain Administrator account name and password. Obviously I don't want to use that so I set the same password on a service account with no change in error.
Attepted to logon with SA on the server. Logon was successful. Attempted install logged on as service account and got message "The service account cannot be the same account used to install AD RMS. Please specify a different account".
Am I missing something?
There's no place like 127.0.0.1
Im thinking of deploying AD RMS in my domain (Production) just for testing (like a POC) will it affect the domain users generally if i remove (or misconfigure ) it after a while or just the users that i gave permissions to through RMS console
Also i want to know the recommended hardware if i want to deploy it for production in a domain of 2000 users
Thanks
Integrate Corporate AD RMS server with Windows Live ID System:
1. Use Windows Live ID to Establish RACs for Users
http://technet.microsoft.com/en-us/library/cc753056.aspx
2. The TUD for Windows Live ID will expire on 11/25/2015.
My question:
1. Will the TUD for Windows Live ID renew automatically after it expires? Or could i renew it by clicking "Trust Windows Live ID" again?
2. Could i open RMS-protected documents after the TUD for Windows Live ID expires?
--Thanks in advance.
SharePoint 2010 IRM not intigrated with Windows Server 2012 R2 AD RMS.
Error : Permission issue.
The required Windows Rights Management client is present but the server refused access. If you are switching from one RMS server to a different RMS server, be sure you have set up a trust relationship between the two. IRM will not work until the server grants permission
But When try with SharePoint 2013
and Office 2013 it working properly.
Hi All,
I have 4 ADRMS Template in my environment to restrict the documents. I want to view only template 1 on outlook for all the user other template should not be visible. Likewise for MS word other 3 should be visible and Donotforword should be hide. Please find my templates. Is it feasible to achieve it. Shall we set any registry key for this. Please provide suggestion
Templates are
1.DonotForward
2.DonotPrint
3.Readonly
4.Printonly
Regards,
Sridhar
Sridhar
I am setting up AD RMS and encountered this error: AD RMS set up failed to generate an enrollee certificate public key. I use SafeNet Luna SA HSM, FQDN and public root issued SSL cert for web service. This AD RMS is for internal use only.
Your help is much appreciated. Thanks.
Dear all,
i have an isseu with RMS on premise and SP 2010. in our curretn Setup we autheticate our Domain users versusu SP2010 by putting them in to Groups in a different Domain ( where also the SP Server is located ) and the we put These Groups in the relevant SP-Groups. RMS Server is set up in the Domain A where the users are residing, SP is in Domain B. Now i get the well known reply that :
The required Windows Rights Management client is present but the server refused
access. If you are switching from one RMS server to a different RMS server, be
sure you have set up a trust relationship between the two. IRM will not work
until the server grants permission.
I already checked al permissions for the asmx files and did a lot of stuff found on the Internet, but still no luck. Any advise ?
Best
Mischa
Hi guys!
I have created a global security group in Active Directory that would allowed authenticated users to create AD users accounts and edit users' profile. I am not sure I applied the right permissions. Can anyone guide me on how to set up such permission on AD security group?
Many thanks in advance.
Hi all;
If I want to force users to digitally sign their documents (Microsoft Office documents / PDFs / ...) for non-repudiation purposes, which solution I should follow? Does AD RMS help us?
Thanks
Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hi guys,
I have created a script that automates the installation of AD RMS and also configure it as I want.
The problem is that this installation sets Cryptographic Mode to 2, but I need to set it to 1. How can I do this with powershell?
Thanks.
Best regards,
Hugues Silva
I have a user within the organization logging into a domain authenticated machine with an active directory account. They are able to login to the machine without issue while connected to the network, however, periodically throughout their day (every 10 minutes or so) have their account lock.
The user machine is on Windows 7 Enterprise (64-bit), if that matters. I've ensured that all stored credentials on the local machine have been cleared, I've checked SAM for duplicate SIDs, and I've scoured the domain controllers for some clue as to why this is happening. They do not have any manually mapped drives with stored creds, web data, or attached mobile devices. The two events I see on the DC related to this lockout are as follows:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/13/2015 3:59:34 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: %domainController.domain.com%
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: %domainController%$
Account Domain: %domain%
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: %username%
Account Domain: %domain%
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x388
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: CHAP
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime="2015-10-13T19:59:34.580228600Z" /><EventRecordID>268619882</EventRecordID><Correlation /><Execution ProcessID="496" ThreadID="9756" /><Channel>Security</Channel><Computer>%domainController.domain.com%</Computer><Security /></System><EventData><Data Name="SubjectUserSid">S-1-5-18</Data><Data Name="SubjectUserName">%domainController%$</Data><Data Name="SubjectDomainName">%domain%</Data><Data Name="SubjectLogonId">0x3e7</Data><Data Name="TargetUserSid">S-1-0-0</Data><Data Name="TargetUserName">%username%</Data><Data Name="TargetDomainName">%domain%</Data><Data Name="Status">0xc000006d</Data><Data Name="FailureReason">%%2313</Data><Data Name="SubStatus">0xc000006a</Data><Data Name="LogonType">3</Data><Data Name="LogonProcessName">CHAP</Data><Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name="WorkstationName"></Data><Data Name="TransmittedServices">-</Data><Data Name="LmPackageName">-</Data><Data Name="KeyLength">0</Data><Data Name="ProcessId">0x388</Data><Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data><Data Name="IpAddress">-</Data><Data Name="IpPort">-</Data></EventData></Event>and
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/13/2015 3:59:34 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: %domainController.domain.com%
Description:
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: %username%
Source Workstation:
Error Code: 0xC000006A
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /><EventID>4776</EventID><Version>0</Version><Level>0</Level><Task>14336</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime="2015-10-13T19:59:34.580228600Z" /><EventRecordID>268619881</EventRecordID><Correlation /><Execution ProcessID="496" ThreadID="9756" /><Channel>Security</Channel><Computer>%domainController.domain.com%</Computer><Security /></System><EventData><Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name="TargetUserName">%username%</Data><Data Name="Workstation"></Data><Data Name="Status">0xc000006a</Data></EventData></Event>
Is there something I am not seeing? I'm at a loss at this point so any expert opinions are welcome. Thank you.Hi,
I have integrated Exchange on-premises 2013 with Azure RMS. I am able to get the templates in OWA and send protected emails but the recipient is unable to view the mail. This is the error message we are getting ' There was a problem opening this rights protected message. Code:- 2147168488'
Please help.