Unlocking the black box that is AD RMS Part 2

Posted on by

Let’s begin shall we. I’ve included a copy of the captures I used to gather the information below.

Scenario: Client IntraForest Activation and Creation of Protected Content
Author: UserA@contoso.local
Consumer: UserB@contoso.local
Captures: Scenario 1 Captures

  1. Client searches registry to see if service connection point (SCP) has been hardcoded. It checks the following keys:
    1. HKLMSoftwareMicrosoftMSDRMServiceLocationActivation – This is a hardcoded location for client activation.
    2. HKLMSoftwareMicrosoftMSDRMServiceLocationEnterprise – This is the hardcoded location to obtain a CLC.
    3. HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation – This is where previously discovered service locations are stored for Office 2010.
    4. HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation – This is where previously discovered service locations are stored for Office 2013.
  2. Client then queries contoso.local global catalog for an AD RMS SCP with the following query:
    • Filter: (& (objectClass=serviceConnectionPoint)(keywords=MSRMRootCluster)(keywords=1.0))
      Attributes: ( serviceBindingInformation )
  3. Domain controller in client’s domain returns the AD RMS SCP information. This value is normally http(s)://RMSClusterDNSName/_wmcs/certification.
  4. Client connects to SCP which exists in AD RMS server and is directed to ServiceLocator.asmx and requests a service location URL for obtaining a CLC.
  5. AD RMS returns the Contoso.local AD RMS cluster’s licensing pipeline which is normally set to http(s)://RMSClusterDNSName/_wmcs/licensing
  6. Client writes this information to the following registry entries/keys:
      Office 2010

    • HKCUSoftwareMicrosoftOffice14.0CommonDRMCachedCorpLicenseServer
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocations

      • Office 2013

    • HKCUSoftwareMicrosoftOffice15.0CommonDRMCachedCorpLicenseServer
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocations
  7. Client connects to SCP which exists in AD RMS server and is directed to ServiceLocator.asmx and requests a service location URL for activation (obtaining a copy SLC public key).
  8. AD RMS Server returns activation pipeline which is normally set to http(s)://RMSClusterDNSName/_wmcs/certification.
  9. Client writes this information to a series of registry entries in the following key:
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocations – Office 2010
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocations – Office 2013
  10. Client connects to SCP which exists in AD RMS server and is directed to ServiceLocator.asmx and requests a service location URL for performing certification (obtaining a RAC)
  11. AD RMS Server returns certification pipeline which is normally set to http(s)://RMSClusterDNSName/_wmcs/certification.
  12. Client writes this information to a series of registry entries in the following key:
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocations – Office 2010
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocations – Office 2013
  13. Client contacts Activation URL (which is normally http(s)://RMSClusterDNSName/_wmcs/certification) and hits Server.asmx to obtain a copy of the SLC’s public key.
  14. AD RMS Server returns a copy of the SLC’s public key to the client.
  15. Client receives a copy of the SLC public key and performs machine activation generating a machine key in C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.
  16. Client contacts Certification URL (which is normally http(s)://RMSClusterDNSName/_wmcs/certification) and hits Certification.asmx to obtain a RAC.
  17. AD RMS Server checks it’s database to see if it has a copy of the user’s RAC, if not it generates one using the following process.
    1. AD RMS Server queries a DC in its local domain for the user’s email address using the user’s SID as an identifier. The following query is used:
      • Filter = ( & ( | (objectSid=User’sSID) (sIDHistory=User’sSID) ) ( | (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) ) )
        Attributes = mail,objectSid,sIDHistory,proxyAddresses,memberOf,primaryGroupID,distinguishedName,uSNChanged,msExchOriginatingForest,msExchDynamicDLBaseDN, msExchDynamicDLFilter,userPrincipalName,sAMAccountName
    2. AD RMS Server queries a DC in its local domain for the user’s primary group. I’m unsure as to why it does this. The debug logs say something about establishing immediate group membership. The following query is used:
      • Filter = ( & (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=com)(objectSid=PrimaryGroup’sSID) )
        Attributes = distinguishedName
    3. AD RMS Server generates a RAC with the ID field populated with the user’s email address and sends back to user.
  19. Client receives RAC and saves it to C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.
  20. Client contacts CLC Service URL (which is normally http(s)://RMSClusterDNSName/_wmcs/licensing and hits publish.asmx and requests a CLC.
  21. AD RMS Server creates a CLC and sends it to the user.
  22. Client receives CLC and saves it to C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.

Client Activation and Creation of protected content is complete.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s