(This blog post was originally published under the personal blog of Enrique Saggese at http://blogs.technet.com/b/information_protection and has been archived here at his request.)
One of the biggest issues with having to acquire licenses to consume protected content is that connectivity to the licensing server cannot always be taken for granted.
Yes, today we are rarely far from a network connection, at the office and at home, even in public places, and mobile devices with 3G coverage make it easy to be connected most of the time. But what happens when you really are not connected? What if you are on a plane and don’t feel like paying $10 to read an email you already have in your laptop? What if simply there are no wireless networks around?
Even if you have a wireless connection, sometimes it can take a few seconds to download a license, which really makes the experience of using protected content sub-par.
Fortunately AD RMS provides us with quite a few options that make it possible to use protected content while not connected to any network. Let’s review them.
First off, protecting content in Office does not require a connection. Protection is always performed offline, that is without accessing your AD RMS server. Of course, the first time you use IRM in Office you HAVE to connect to the AD RMS server to initialize the client. Check the excellent post by my friend Alexey Goldbergs on the RMS blog for a description of the Client activation process. But after all that is done, you can protect messages all you want without ever contacting AD RMS. The fact that you have a Client Licensor Certificate enables you to create publishing licenses, and the copy of the Server Licensor Certificate you have allows you to encrypt the content without contacting the server (see my previous post on content protection for a description of this process). Online publishing is technically possible as well, but to my knowledge no applications currently use it.
But what about consuming content? Well, there we have a few options.
Consuming self-protected content
Something that we might dismiss as obvious but might not always be is that you can consume without a connection the content that you protected yourself. This is because when you protect a document, you automatically create a license to consume the content for the author, and this license is always cached. Thus, if you protect a document offline you will be able to open it offline.
Using cached licenses
Second, documents (and when I say documents I also include emails in the term) might allow the option to cache licenses issued for them. In fact, this is enabled by default for ad-hoc protection, do not forward emails and for templates. When this option is enabled for a protected document, once a user has acquired a license to consume it, the license will be useable offline during the period specified by the policy in the document.
As I said, the ability to consume a document with a cached license can be limited when protecting the document. This can be done in different ways:
1) When protecting a document in Word, PowerPoint or Excel with an ad-hoc (custom) policy, you can specify, under Advanced options, the “Require a Connection to verify a user’s permission”, which effectively disables caching of the licenses issued against the document. Unless this option is checked, a license issued to consume the document will be cacheable for up to one year.
2) When protecting with Do Not Forward, there’s a registry value (RequireConnection DWORD, under the Office IRM registry keys) which can be set to 1 to disable caching. This does not disable caching on the machine where it is set, but instead configured Office to disable license caching for all documents protected in that machine, so clients consuming those licenses will have to acquire a license every time they open the content. This setting also has effect on Office documents, effectively pre-setting the checkbox indicated in point 1).
3) When protecting with a template, the template itself can indicate if licenses are cacheable and for how long they will be useable before requiring a new one. This is the most flexible option.
But by default licenses are cacheable, meaning that normally you have to acquire a license only the first time you open a document or email. Or maybe not even then, if you are using Exchange Prelicensing.
And Prelicensing is the other case I want to describe where you don’t need to connect to an AD RMS server to acquire a license to consume a document.
When someone sends a protected email to you and you are a user of Exchange 2010 or 2007 SP1, the message goes through a few services before reaching you. At one point, it will go through an Exchange Hub Transport server. If the Exchange HT server is running one of those versions and is enabled to use IRM (that is, if the server has the RMS client installed and the service is configured to do prelicensing) Exchange will acquire a license on your behalf and embed it into the message before the message is delivered to an Office 2007 or later client. This is a bit more complicated than it sounds since the server needs to know the users RAC in order to be able to acquire a license for the user. So here’s what happens in Exchange 2010 when Exchange decides it needs to prelicense a message:
1) Exchange obtains the users email address as its identifier. This is easy since, well, it is an email platform and one thing it knows is the email of each user.
2) Exchange calls acquireprelicense on the Licensing pipeline in the AD RMS cluster that was used to protect the message, gives it a copy of the Publishing License and requests a license.
3) AD RMS calls the PreCertification service in the cluster that happens to have the RAC for the user in question. It may or may not be the same RMS cluster – for example, in an environment where Exchange is installed in a resource forest, users and Exchange would most likely be in different forests – so this might be a remote call to another forest. In order to find the corresponding cluster it analyze the user object in question, find out the forest where it is hosted (by checking the msDS-SourceObjectDN attribute in AD) and read the Service Connection Point in that forest to get the RMS Certification URL.
4) With the users RAC at hand, the RMS server will issue a license to it (if appropriate) and send it to Exchange, which will embed it in the email and in every attached document that inherited protection from the email (an email and its attachments all share the same Publishing License, so the same Use License will be valid for all of them).
5) When the email is delivered to the user, the user will be able to double click on the email and have it open without having to acquire a license. The same will be true for any attachments that were protected with the email.
So, unless the Publishing License in the email indicated that the licenses are non-cacheable or the license has expired, the user will be able to consume the email without having to use a network connection to acquire a license at that moment.
Keep in mind that this only works for users of Office 2007 and up (and also for Windows Mobile 6.x) connected to an Exchange server running Exchange 2007 SP1 or later (also, keep in mind that the process for prelicensing described above is the one used in Exchange 2010, Exchange 2007 uses a slightly different sequence).
Automatic License Fetching
Users of Office 2003 should not despair though, as that version has a capability called “License Pre-fetching” which is more limited than Prelicensing but still quite useful. Basically, License Pre-fetching occurs after an email has been delivered to a client whenever the client has some spare cycles after a full send/receive cycle. This will acquire licenses for all protected messages that have just been delivered without the user opening the messages, to the messages are ready to consume whenever the users clicks on them. It is different from Prelicensing in that the licenses are requested by the client, so the client has to have connectivity to the RMS client at the time of downloading the messages for this to work.
This capability is enabled by default in Office 2003 and can be disabled via the settings described in this article.
So what all this means is that in most circumstances users trying to consume protected content will be able to do so even if they are not connected to a network. It also means that if you are connected to a slow or expensive network you will not have to wait or pay for the traffic to acquire a license in any of the cases described above.