IRM Client Diagnostics for O365 D/ITAR - Customer Deck · 2018. 10. 16. · Windows 7 Enterprise...
Transcript of IRM Client Diagnostics for O365 D/ITAR - Customer Deck · 2018. 10. 16. · Windows 7 Enterprise...
IRM Client Diagnostics for O365 D/ITAROffice 365 – Dedicated & ITAR-Support Plans
IRM Introduction
About Information Rights Management
3 | Microsoft
The Information Rights Management (IRM) feature provided in
the 11.3 release of Office 365 for Enterprises Dedicated and
ITAR-support plans utilizes Active Directory Rights Management
Services (AD RMS) to protect content (e.g. an e-mail message or
document) and manage specific use restrictions for the content.
The principal components of an AD RMS environment include
an AD RMS server infrastructure within a customer environment
and the Office 365 hosted environment as well as IRM-
supported applications on client systems and devices.
About Information Rights Management
IRM helps to:
Prevent an authorized recipient of protected content from forwarding,
copying, modifying, printing, faxing, or pasting the content for
unauthorized use; copying restrictions include the use of the Print Screen
or Snipping Tool features of Microsoft Windows
Protect supported attachment file formats with the same level of
protection as the message
Maintain content restrictions regardless of where the content is delivered
Support file expiration to prevent content in documents, workbooks, or
presentations to no longer be viewed after a specified period of time
Enforce corporate policies that govern the use and dissemination of
content 4 | Microsoft
About Information Rights Management
IRM does not prevent:
Content from being captured by third-party screen-capture programs
Content from being erased, stolen, or captured and transmitted by
malicious programs such as Trojan horses, keystroke loggers, and certain
types of spyware
Content from being lost or corrupted because of the actions of
computer viruses
Restricted content from being hand-copied or retyped from a display on
a recipient's screen
Use of imaging devices such as cameras to photograph IRM-protected
content displayed on the screen5 | Microsoft
Components Overview
6 | Microsoft
How information is protected
7 | Microsoft
Microsoft Office 365 uses Active Directory Rights Management
Services (AD RMS) to implement the IRM protection feature.
To access IRM-protected content, AD RMS-enabled applications
must procure a use license for the authorized user from a trusted
AD RMS server.
The use license contains the public key to decrypt the protected
content.
AD RMS utilizes a database to hold data for certification, licensing,
and publishing activities and also relies on Active Directory Domain
Services to provide identity, authentication, group expansion, and
discovery services.
Cross-Forest Pre-licensing
Office 365Customer
Hub Transport
Internet
DC DC
SCP:
rms.999.d.mgd.msft.net
Outlook or other
mobile client
AD RMS
AD RMS
SCP:
ADRMS.contoso.com
CAS
Here’s an email for John
Can I get a license for John?
Who’s this
John he’s
talking about?
He’s someone
at Contoso,
ask them!
Where’s your RMS server?
Right above me!
I need John’s RAC
Here it is!
Here’s the license
you requested
Put this in John’s
mailbox. It comes
with a license.
Rights Policy Templates
• Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content
• O365 Templates are Administered by the Customer
• Required for a Transport Protection Rule
9 | Microsoft
• It is recommended to add “ (O365)” to all polices created within Office 365 to avoid name conflicts with templates created on-premises
Create a Template via MMC
10 | Microsoft
Within the Office 365 environment, additional rights policy templates can be
created. Prior to attempting to create or edit templates, confirm the administrative
user has been added to the RMS Template Administrators security group.
AD RMS snap-in for the Microsoft Management Console (MMC)
Create a Template via PowerShell
11 | Microsoft
You can create a Policy Template via PowerShell using the ADRMSAdmin provider.
Import-module adrmsadmin
New-PSDrive -name RMS -PsProvider AdRmsAdmin -Root https://rms.999.d.office365.com
Set-Location RMS:\RightsPolicyTemplate
New-Item -Path RMS:\RightsPolicyTemplate -LocaleName en-us -DisplayName “FTE Only (O365)” -
Description “Limits rights to full time employees only.”
Office 365 Rights Management diagnostics tool (O365RMdiag)
Office 365 Rights Management diagnostics
Microsoft Online Services Support provides the Office 365 Rights
Management diagnostics package (O365RMdiag.zip) to Office 365
customers for use without warranty, expressed or implied.
The tool is used to diagnose client issues within an AD RMS environment
managed entirely by a customer.
The diagnostics package contains a batch file (.bat) script
O365RMdiag.bat which invokes binary executable files (.exe) to establish,
repair, or remove an AD RMS configuration on a client PC system.
13 | Microsoft
Download O365RMdiag.zip
To download O365RMdiag.zip
1. Download the Office 365 Rights Management
diagnostics package (O365RMdiag.zip) from here.
2. Extract O365RMdiag.zip to C:\temp\rms
14 | Microsoft
Using O365RMdiag.bat
1. Open an Administrator Command Prompt
2. Run O365RMdiag.bat setup
3. Reproduce the issue by attempting to open the protected content. Once
completed, continue to the next step.
4. Run O365RMdiag.bat repair from the Admin Command Prompt
5. Re-attempt to open protected content to collect debug information. This
allows the tool to collect any error messages.
6. Run O365RMdiag.bat cleanup from the Administrator Command Prompt
to terminate debug process and to capture revised IRM configuration.
15 | Microsoft
Using O365RMdiag.bat
16 | Microsoft
You can review the exported data in “C:\temp\rms\RmLog”, or you can
Zip it and send it your escalation support team if requested.
About O365RMdiag.bat Setup
17 | Microsoft
When you run the diagnostic tool using the Setup option, the tool
performs the following tasks:
Kills any running instances of dbgview.exe
Runs IRMCheck.exe and saves the output as
CurrentDRMStateIrmCheckOutput.htm
Runs dbgview.exe and saves the output as
ReproWithCurrentDRMState.log
Enables the Trace registry key for IRM
About O365RMdiag.bat Setup
18 | Microsoft
Example output from a Windows 7 client
C:\temp\rms\O365rmdiag.bat setup
Creates a RmLog directory in C:\O365RMdiag\rmlog
Displays the following output:
“Created C:\Users\Jdoe\Desktop\O365rmdiag\RmLog”
IRM Configuration Test (6.1.7689.0)
Checking settings
Performing the Cloud service discovery
Performing the Enterprise service discovery
IRM Configuration Test completed.
IRM Configuration Test output saved into C:\O365RMdiag\RMLog\CurrentDRMStateIrmCheckOutput.htm
The operation completed successfully.
The operation completed successfully.
“O365RMdiag “setup” SUCCEEDED”
“This concludes Phase 1 of the O365rmdiag.bat script. We have collected information on the current AD
RMS state on this computer. Please reproduce any steps used to access the protected content that you
had errors with. This will collect data from the machine while you see the error message. After the error
occurs, close all open applications and run O365rmdiag.bat repair from an Administrator Command
Prompt.”
About O365RMdiag.bat Repair
19 | Microsoft
When you run the diagnostic tool using the Repair option, the tool
performs the following tasks:
Kills any running instances of dbgview.exe
Makes a backup of the DRM directory and saves it as DRM.old
Renames the DRM directory to a random directory name so that
it forces the bootstrap process to start over
It Deletes all EUL files from the DRM backup directory
Runs dbgview.exe and saves the output as
ReproWithCleanDRMState.log
Sets multiple registry values
About O365RMdiag.bat Repair
20 | Microsoft
Example output from a Windows 7 client
C:\temp\rms\O365rmdiag.bat repair
process Dbgview.exe (4048) – ‘DebugView on \\COMPUTERNAME (local)’ killed
C:\Users\USERNAME\Local Settings\Application Data\Microsoft\DRM\CERT-Machine.drm
C:\Users\USERNAME\Local Settings\Application Data\Microsoft\DRM\CLC-EMAILADDRESS-GUID.drm
C:\Users\USERNAME\Local Settings\Application Data\Microsoft\DRM\GIC-EMAILADDRESS-GUID.drm
3 file(s) copied.
Could Not Find C:\O365RMdiag\RmLog\DRM.Old\EUL*
“O365RMdiag “repair” SUCCEEDED”
“Please run the repro again now. You might hit the error again, but it also may just work
because we cleaned up the RMS state. In any case, please run O365RMdiag collect after you run
the repro”.
This renamed the DRM directory.
Note that the Templates directory may not show up immediately. This may cause a problem.
Reproduce the error. It may still fail.
When the repair has finished, please attempt to access the protected content again to see if it displays or
reproduces the issue with the protected content. Regardless if there is an error or not, close all open
applications and run O365rmdiag.bat cleanup from an Administrator Command Prompt.
About O365RMdiag.bat Cleanup
21 | Microsoft
When you run the diagnostic tool using the Cleanup option, the tool
performs the following tasks:
Kills any running instances of dbgview.exe
Runs IRMCheck.exe and saves the output as
CleanDRMStateIrmCheckOutput.htm
Makes a backup of the DRM directory and saves it as DRM.New
It Deletes all EUL files from the DRM backup directory
About O365RMdiag.bat Cleanup
22 | Microsoft
Example output from a Windows 7 client
C:\temp\rms\O365rmdiag.bat collect
process Dbgview.exe (160) – ‘DebugView on \\COMPUTERNAME (local)” killed
IRM Configuration Test (6.1.7003.0)
Checking settings
Performing the Cloud service discovery
Performing the Enterprise service discovery
IRM Configuration Test completed.
IRM Configuration Test output saved into C:\O365RMdiag\RmLog\CleanDRMStateIrmCheckOutput.htm
C:\Users\USERNAME\Local Settings\Application Data\Microsoft\DRM\CERT-Machine.drm
C:\Users\USERNAME\Local Settings\Application Data\Microsoft\DRM\CLC-EMAILADDRESS-GUID.drm
C:\Users\USERNAME\Local Settings\Application Data\Microsoft\DRM\GIC-EMAILADDRESS-GUID.drm
3 file(s) copied.
Could Not Find C:\O365RMdiag\RmLog\DRM.New\EUL*
“O365RMdiag “collect” SUCCEEDED”
“Please zip up RmLog directory created under the install location of this script and send it
to support with the error description. Check your system tray for any dbgview instances that
got launched as part of this diagnostic run that the script failed to clean up. You may now
close these instances.”
This concludes Phase 3 of the 0365rmdiag.bat script. Check your system tray for any dbgview
instances and close them if still running. All logs were stored in the RmLog directory. This
directory should be zipped and provided to anybody troubleshooting AD RMS.
Working with Exported Data
23 | Microsoft
CleanDRMStateIrmCheckOutput.htm contains the report data
generated by O365rmdiag.bat. This report can be useful in
troubleshooting issues related to client configuration, registry
settings, and certificate validity.
CleanDRMStateIrmCheckOutput.htm contents
24 | Microsoft
IRM Configuration Test (6.1.7689.0)
Machine Information
Date: Mon Oct 10 17:14:54 2011
Machine: JDOE-PC [Jdoe-pc.contoso.com]
Username
:
CONTOSO\Jdoe [Limited User]
Operating
system:
Windows 7 Enterprise [6.1.7601.win7sp1_gdr.110622-1506] ( 64-bit OS )
Target: RM Production Environment
RM
Hierarchy:
[Production_Hierarchy]
Check Status Detailed information
1. Office System SUCCESS Microsoft Office System (build 14.0.6106.5005) is installed
2. Operating
system SUCCESS
Windows 7 Enterprise (build 6.1.7601.win7sp1_gdr.110622-1506) is installed. ( 64-bit OS )
3. RM client SUCCESS
Microsoft Rights Management client (build 6.1.7601.17514) is installed [
Production_Hierarchy ]
4. Kernel
Debugger SUCCESS
The kernel debugger is not present
5. Registry
overrides SUCCESS
No incorrect registry key overrides was detected
6. Service URLs SUCCESS The Enterprise RM service is in the Local Intranet or Trusted Sites zone
7. IRM manifests SUCCESS IRM application manifests are correct
8. Machine
activation SUCCESS
The machine is activated correctly: 6.1.7601.17514 (RMS Client v3.0 Desktop Security
Processor), file:///rmactivate.exe, 10/11/2011 12:10:00 AM [UTC]
9. User certificates SUCCESS Found 1 valid user certificate
10. System clock SUCCESS The system clock is correct
11. Pending Reboot SUCCESS No pending reboot detected
12. Product SKU SUCCESS
13. Network
Connectivity SUCCESS
The computer is online
14. Domain
Membership SUCCESS
Member of CONTOSO domain
15. Temporary
Directory SUCCESS
Temporary directory set to C:\Users\Jdoe.CONTOSO\AppData\Local\Temp\
16. Incompatible
applications SUCCESS
No known incompatible applications found.
17. User Email in
AD SUCCESS
The logged on user's email found in the AD: [email protected]
CleanDRMStateIrmCheckOutput.htm contents
25 | Microsoft
Certificates
Type Vali
d Account
Account
Type SID
Issued
On Duration Service URLs
GIC Y
om
Windows {CONTOSO\Jd
oe}
10/11/201
1
10/10/2011-
10/10/2012
Issued
By:https://rmscert.contoso.com/_wmcs/certificati
on
CLC
Y
om
Windows {CONTOSO\Jd
oe}
10/11/201
1
Always Issued
By:https://rms.999.d.office365.com/_wmcs/licens
ing
https://rms.999.d.office365.com/_wmcs/licensing
https://rms.999.d.office365.com.microsoft.com/_
wmcs/licensing
Mac
hine Y
10/11/201
1
Always Issued By:file:///rmactivate.exe
Registry Information
Office Activation Service registry entry absent
Office Enterprise Certification Service registry entry absent
Office Enterprise Client Enrollment Service registry entry absent
Office Cloud Certification Service registry entry absent
Office Cloud Client Enrollment Service registry entry absent
Office RM Client Setup URL registry entry absent
Office IRM Disable registry entry absent
Office IRM DisablePassportCertification registry entry absent
Office IRM DisableCertificateValidation registry entry absent
Office IRM Permission Policy Path C:\Users\Jdoe.CONTOSO\AppData\L
ocal\Microsoft\DRM\Templates
Office Cached Enterprise Client Enrollment Service https://rms.999.d.office365.com/_w
mcs/licensing
RMA Activation Service registry entry absent
RMA Enterprise Certification Service registry entry absent
RMA Cloud Certification Service registry entry absent
RM Activation Service registry entry absent
RM Enterprise Client Enrollment Service registry entry absent
RM Cloud Client Enrollment Service registry entry absent
Use Proxy Server 0
Proxy Server proxy.contoso.com:80
Don't use proxy server for Use proxy autoconfig script from registry entry absent
IE Enhanced Security registry entry absent
The Enterprise Service Discovery results: RM Activation Service https://rmscert.contoso.com/_wmcs/
certification
RM Certification Service https://rmscert.contoso.com/_wmcs/
certification
RM Online Publishing Service https://rms.999.d.office365.com/_w
mcs/licensing
RM Client Enrollment Service https://rms.999.d.office365.com/_w
mcs/licensing
User Shell Folders registry entry present:
Software\Microsoft\Windows\Curre
ntVersion\Explorer\User Shell
Folders
SharePoint Configuration
The configuration of the SharePoint Farm is likewise very simple and really involves only one setting. The only prerequisites are that RMS be installed and configured somewhere on the network, and that the RMS client be installed on the web front end servers.
To configure SharePoint to use your RMS server you will need to navigate to the Central Administration web site and click on the Security link in the Quick Launch.
26 | Microsoft
Information Policy
27 | Microsoft
General Troubleshooting
Validate O365 AD RMS IIS Health
• Verify that the O365 Licensing Server URL is in the Local intranet sites in Internet Explorer
• Example: https://rms.999.d.office365.com/
• Open the Office 365 AD RMS
Licensing URL in Internet Explorer
−Example: https://rms.999.d.office365.com/_wmcs/licensing/license.asmx
− If the following page is displayed, the IIS service is healthy:
29 | Microsoft
Troubleshooting DNS and Network
• The AD RMS pipelines (Certification & Licensing) are used when protecting or consuming content
• Check that all pipelines are reachable from the clients
−On premises AD RMS Certification URL− Example:
https://rmscert.contoso.com/_wmcs/certification/certification.asmx
−On premises AD RMS Licensing URL− Example:
https://rms.contoso.com/_wmcs/licensing/license.asmx
−Office 365 AD RMS Licensing URL− Example:
https://rms.999.d.office365.com/_wmcs/licensing/license.asmx
30 | Microsoft
Service Connection Point
• SCP is an object in the Configuration container within AD DS
−Example object:CN=SCP,CN=RightsManagementServices,CN=Services,CN=Configuration,DC=contoso,DC=com
−Populated attribute within SCP:serviceBindingInformation = https://rmscert.contoso.com/_wmcs/certification
• Can be used for auto-discover of AD RMS
31 | Microsoft
Troubleshooting IRM for Exchange
OWA Failure Mode - Send
33 | Microsoft
• Messages are IRM-protected by Client Access servers
OWA Failure Mode - Receive• Messages protected by senders using your organization's AD RMS cluster are rendered
in the preview pane in Outlook Web App
• When a user opens a message or views it in the preview pane, the message is decrypted by using the use license added by the Pre-licensing agent. After decryption, the message is displayed in the preview pane
• If a pre-license isn't available, Outlook Web App requests one from the AD RMS server and then renders the message
34 | Microsoft
Transport Rule Failure Modes
35 | Microsoft
Messages are NDRed when Transport Rules cannot apply a RM template
© 2010 Microsoft Corporation.