Download the RMS Toolkit from this location:
This contains an invaluable tool called IRMCheck, that you can run on the clients, that will give you an excellent rundown of where a problem may lie with a client that cannot read RMS protected content.
When trying to use Windows Rights Management Services (RMS) and Office Information Rights Management (IRM), the request might fail. Some typical errors that you may receive in Office 2003 may be:
“This service is temporarily unavailable. Microsoft Internet Explorer may be set to Work Offline. In Internet Explorer, verify that Work Offline on the File menu is not selected, and then try again.”
“Cannot use this feature without credentials.”
Lets discuss some of the important pieces that IRMCheck returns.
Office System: You should be using at least Office 2003 SP1. Office 2003 Standard Edition can read content, but cannot publish, so if you are planning on rolling out an Office deployment, make sure that you give the users that need to be able to create RMS protected content Office 2003 Professional Edition.
Operating System: If you get an error here, it usually will say that there is no signature for one of the system files. This usually indicates that you have a corrupted signature catalog (Catroot2). If you see an error here, you can run sigverif to verify that there is a problem. On a Windows 2000 machine there is a utility that you can call into support for called catfix that will fix this problem. On Windows XP, you can stop your Cryptographic service, rename the Catroot2 folder, and restart the service. This should rebuild your signature catalog.
Essentially RMS is a security application, which means that in order for it to protect itself it has a manifest of all of the files that it should be working and playing with, as well as, one it should specifically NOT be using. If one of the files that it is supposed to be working with is not signed, then we cannot trust that file, and RMS will refuse to play until it gets fixed. 🙂
RM Client: This will tell you the version of the client. If you have version 1, I recommend that you move to SP1 or SP2, preferably the SP2. Trust me, if you have the original version, UPDATE NOW. 🙂
Kernel Debugger: I’ve never actually seen this one show anything, although I suppose if I launched WinDBG it would probably show me there was a debugger running. Obviously because we are going into a users lockbox running with a debugger attached is not allowed. If you are writing your own application you will need the ability to debug. You can get around this by proxying the lockbox as described here:
Registry Overrides: For advanced setups it may be required to override the default RMS behavior with registry overrides. For instance, if you have several forests that have two way trusts, you would need to put a certification server in each forest, however you could keep a licensing server in one forest. You would need to tell each client where the licensing server is, which can be done through a registry key which I will cover later. If there is an warning here, but you know the reason why you are overriding registry settings, then this is not a problem.
Service URLs: This basically tells you if your service connection point for RMS is in the Intranet Zone, or Trusted Sites. It is improtant that your RMS cluster URL (i.e. rms.contoso.com), that you created when you provisioned RMS is listed in your intranet or trusted sites, so that credentials can be passed for validation. Otherwise, it will think that this is an internet site, and will either prompt for credentials, or fail. If you are prompted for credentials, and you enter your credentials, you will be issued a TRAC (Temporary Rights Account Certificate), that is good for 15 minutes (or whatever you specify in the database). You can have an extranet cluster URL that is fine for your users that may be on the internet, but that is a different topic, that I will attempt to cover later. Just know that if you are only using RMS for intranet users, then you should clear up this warning, by adding the rms cluster URL to your list of trusted sites, or intranet sites.
IRM Manifests: I’ve never seen an issue here, but remember when I told you about manifests a few paragraphs back? Well if you have something that is unsigned with an Office application, you may want to scan your machine for malware and see whats up. Everything should be signed.
Machine activation: I have rarely seen this one fail, but it does happen if your system dlls aren’t signed. The machine activation happens on the machine locally, so the RMS services aren’t really even involved. If your system DLLs are signed, and you keep having problems with this one, upgrade to SP2 client.
User Certificates: If this one is failing, then the problem could be anywhere from no access to the RMS server, to a problem with the SQL connection to RMS, to an Anti-virus getting a little to nosy on your system. The best thing to do is make sure that you can hit the important 4 URLs from the clients web browser, without any errors, pop-ups, certificate issues, and that they are listed at the bottom right of the browser as being either trusted or intranet zoned.
If you are having problems getting to them, then that will need to be fixed depending on the pop-up, or error received. I can cover specifics in a later blog.
System clock: This essentially checks the clock to see if its been rolled back. You need to make sure that your clock is in synch for many reasons, like Kerberos, and the amount of time that certificates are issued for.
Pending Reboot: I’ve never seen an issue with this, but if there is a reboot pending, your having problems, and everything else is in the green, make sure you reboot. 😉
Product SKU: Never seen a problem with this.
Network Connectivity: I have seen recently a few problems popping up with laptops on wireless, where it says there is no network connectivity. Obviously if there is no network connectivity you can’t authenticate against the RMS server. I think we are still looking into this.
Domain Membership: This will tell us if you are connected to a domain. If you aren’t then the automatic service discovery calls that are made to find the service connection point in the AD will fail. In this case you will need to override RMS with some registry settings.
Temporary Directory: Never seen this cause a problem, however make sure that one exists.
Incompatible Applications: Make sure that you are on RMS SP1. Earlier versions of RMS didn’t support things like Virtual Machines, and several imposing anti-viruses. If you have an incompatible AV on your system, that puts itself into APPInit mode (essentially hooking our calls), RMS may fail because it thinks that there is a malicious program trying to steal info from your lockbox. You may want to take the offending program off of the system if it is listed here, to see if the problem goes away.
User E-mail in AD: I don’t know how many times people have called me, and the whole problem was that their users didn’t have the mail attribute filled out on their AD object. Yes. It is a requirement for any user who wants to use RMS, that they have their mail attribute filled out in the AD. Even if they don’t have a mailbox, they still need this attribute filled out, as this is what is used to check that the user matches the person listed in the publishing license.
To be continued…..