One mystery solved...11 million to go. Beware your GicTempValidity Time.

  • Article

So behind the scenes of my normal workday a partner of ours had challenged me to find an answer to a problem I had posted earlier in the blog.  Together we worked on the problem, and resolved it CSI Miami style.

<<Enter 'Won't Get Fooled Again' by The Who, Theme Music Here>>

In a few of my blog posts I've mentioned the following registry key:

DisableCertificateValidation
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DisableCertificateValidation
Value:
0 - Off
1 - On
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

This was one of the many mysteries of RMS that haunted my dreams at night. My initial guess was that it stopped the SSL certificate check to keep RMS from breaking. Man, I was way off.

What is actually does is turn off certain checks to validate some things in your GIC. Without going to in-depth about the reason for doing this, it was designed to fix some 'silent authentication walk-through' issues, BUT it also fixes/works-around an issue that our partner was seeing.

For some reason Office was immediately invalidating any Temporary GIC issued by the RMS server. Setting the registry key allowed the GIC to be seen as valid, and allow Office to proceed as usual in obtaining a CLC and EUL (as needed).

 Well, it turns out after many days of scouring through the code, and getting a few eyes to look at the IRMCheck data, one of our devs noticed that the temporary GIC (or TRAC) that was being issued was good for 2.5 months. Ah, this was the blood-stained shoe we were looking for. Strange, I always thought there was a 30 day maximum for temporary GICs. Well for Office,there is. If the GIC is older than 30 days, Office will see the GIC as a 'permanent' GIC, and try to cross check the process SID, with the SID located in the GIC. This of course will fail, because you aren't actually signed onto the domain. If the GIC SID doesn't match the process SID, Office will give you two thumbs down, and try to go get a new GIC. Of course you will end up in a cycle, because the TRAC being issued is always past 30 days.

So what is the solution? Well there are two.

1.) Set the registry key mentioned above if you want your TRACS to be able to be older than 30 days.
2.) Go into the DRMS_ClusterPolicies table in your configuration database, and set the GicTempValidity to no more than 43200 (30 days).

There you have it. Mystery solved. Horatio can put on his sunglasses, say something obvious, and walk off, 'creepishly' into the sunset for now.

Thanks again for the people at Giga-Trust (Curtis and friends) for reporting this, and patiently working through the problem with me, helping answer one of the many mysteries of RMS. :)

- Jason