Troubleshooting AD RMS just got easier!

Posted on 2 February, 2015 by Tom Aafloen

Microsoft has released public previews of two Rights Management Services Diagnostic Tools.

These tools diagnose settings, configurations and behavior of your Active Directory Rights Management Services (AD RMS) infrastructure. There are two tools, one for RMS Client and one for RMS Server.

The tools are very small, only about 200 kb each. That do not require installation and can be downloaded here:
http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=56564

This is what the RMS Client Diagnostic app looks like (see below for Server screenshots):

clip_image002

I ran diagnostics on my test client and you can see that I have some issues with Intranet Sites:

clip_image004

Clicking on Fix it in the left menu and then the View Operations button it displays what will be done if I choose to click Fix It Now.

clip_image006

When I did click Fix It Now, the fix succeed:

clip_image008

Running the diagnostics again shows no error this time:

clip_image010

You can also use this tool to reset the cached RMS-related files on tour client, even if no errors were found. Note that this action will not make you lose access to any RMS protected data, it only means that the next time RMS is used on the client you will be automatically bootstrapped (get a fresh set of user certificates and templates):

clip_image012

clip_image014

 

This is what the RMS Server Diagnostic app looks like:

clip_image016

By clicking Server in the left menu you get information about my RMS Server installation:

clip_image018

By running Diagnostics, RMS server related tests are performed. I got a warning that a group email address was not found my current account:

clip_image020

Clicking Templates enables me to download published RMS templates. I can expand each of them to get more detailed information. Here I have expanded the FTE – Edit and print template:

clip_image022

On the Membership menu you can quickly check if a user is member of an RMS enabled group or not. This can help troubleshoot users that cannot open documents they believe they should have access to:

The user Klara is not a member of the TeamHelix group:

clip_image024

  The user Max however is a member of the TeamHelix group:

clip_image026

I hope you will find these tools useful.

Update 2015-05-13

There is a new version of this tool, read more about it here:

In the new version the Membership page has been updated to also include checking membership of Templates:

image

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in Rights Management Services, RMS and tagged , , . Bookmark the permalink.

4 Responses to Troubleshooting AD RMS just got easier!

  1. Dylan Nicholson says:
    5 February, 2015 at 12:58

    Does this work for Azure RMS? Is source code available? Thanks!

    Reply
    • Tom Aafloen says:
      5 February, 2015 at 01:04

      No, not with Azure RMS at the moment, but it will most likely do that before long. I’ll try to remember to comment here if/when it does.
      I’ll look into the source code question, but my guess is that it will stay proprietary.

      Reply
      • Dylan Nicholson says:
        5 February, 2015 at 01:22

        Ok, just that I haven’t figured out how to get it to work for my own application, following steps as per here: https://technet.microsoft.com/en-US/dn133057(v=vs.71).aspx
        In particular it doesn’t seem to matter what I put in the IPC_CREDENTIAL_SYMMETRIC_KEY structure I either get “the user hasn’t been authenticated” or “parameter is incorrect”.

  2. Pingback: Rights Management Services Analyzer Tool – updated | Microsoft Security Solutions

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s