Unlocking the black box that is AD RMS Part 3

Let’s continue and we’ll introduce the second forest with its own AD RMS cluster.

Scenario: Client InterForest Activation and Consumption of Protected Content. In this scenario UserA in contoso.local (UserA@contoso.local) has protected a document and given UserB in fabrikam.local (UserB@fabrikam.local) the Read right. The steps below describe UserB’s process to activate, certify, and consume the content protected by UserA.
Author: UserA@contoso.local
Consumer: UserB@fabrikam.local
Captures: Scenario 2 Captures

  1. Client searches registry to see if service connection point (SCP) has been hardcoded. It checks the following keys:
    1. HKLMSoftwareMicrosoftMSDRMServiceLocationActivation – This is a hardcoded location for client activation.
    2. HKLMSoftwareMicrosoftMSDRMServiceLocationEnterprise – This is the hardcoded location to obtain a CLC.
    3. HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation – This is where previously discovered service locations are stored for Office 2010.
    4. HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation – This is where previously discovered service locations are stored for Office 2013.
  2. Client contacts contoso.local AD RMS cluster via the licensing pipeline (https://adrms.contoso.local/_wmcs/licensing) stored in the protected document metadata and hits the ServiceLocator.asmx file and requests service location for certification.
  3. AD RMS Server in contoso.local checks for presence of GICURL registry entry in HKLMSoftwareMicrosoftDRMS. This registry entry is used when you opt not to use an AD RMS SCP. Presence of this entry will override SCP discovery for both local and cross-forest clients.
  4. When the entry is not found, the AD RMS Server in contoso.local identifies that user belongs to fabrikam.local since the user was forced to authenticate to access the ServiceLocator.asmx and then queries global catalog in fabrikam.local for AD RMS SCP and returns to the client (https://adrms.fabrikam.local/_wmcs/certification).
  5. Client receives back a referral to the fabrikam.local SCP (https://adrms.fabrikam.local/_wmcs/certification) and writes the information to a registry entry under the registry key:
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation – For office 2010
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation – For office 2013
  6. Client contacts contoso.local AD RMS cluster via the licensing pipeline (https://adrms.contoso.local/_wmcs/licensing) stored in the protected document metadata and hits the ServiceLocator.asmx file and requests service location for obtaining a CLC.
  7. AD RMS Server in contoso.local identifies that user belongs to fabrikam.local since the user was forced to authenticate to access the ServiceLocator.asmx returns the client’s AD RMS SCP for the clients’s domain to the client (https://adrms.fabrikam.local/_wmcs/certification).
  8. Client receives back a referral to the fabrikam.local SCP (https://adrms.fabrikam.local/_wmcs/certification) and writes the information to a registry entry under the registry key:
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation – For office 2010
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation – For office 2013
  9. Client then contacts the SCP URL returned in the previous step, hits the ServiceLocator.asmx, and requests a service location for obtaining a CLC.
  10. AD RMS Server in fabrikam.local returns the licensing pipeline (https://adrms.fabrikam.local/_wmcs/licensing) information to the client.
  11. Client receives back the licensing URL and writes it to a registry entry in the registry key:
      Office 2010

    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMCachedCorpLicenseServer
    • Office 2013

    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMCachedCorpLicenseServer
  12. Client connects to fabrikam.local licensing pipeline and is directed to ServiceLocator.asmx and requests a service location URL for activation (obtain copy of SLC public key and perform machine activation).
  13. Fabrikam.local AD RMS Server returns activation pipeline (http(s)://adrms.fabrikam.local/_wmcs/certification).
  14. Client writes this information to a series of registry entries in the following key:
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation – For office 2010
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation – For office 2013
  15. Client contacts fabrikam.local activation URL and hits Server.asmx to obtain a copy of the SLC’s public key.
  16. Client receives a copy of the SLC public key and performs machine activation generating a machine key in C:UsersUsernameAppDataLocalMicrosoftDRM.
  17. Client contacts fabrikam.local certification URL https://adrms.fabrikam.local/_wmcs/certification) and hits certification.asmx to obtain a RAC.
  18. AD RMS Server checks it’s database to see if it has a copy of the user’s RAC, if not it generates one using the following process.
    1. AD RMS Server queries a DC in its local domain for the user’s email address using the user’s SID as an identifier. The following query is used:
      • Filter = ( & ( | (objectSid=User’sSID) (sIDHistory=User’sSID) ) ( | (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com) (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com) ) )
        Attributes = mail,objectSid,sIDHistory,proxyAddresses,memberOf,primaryGroupID,distinguishedName,uSNChanged,msExchOriginatingForest,msExchDynamicDLBaseDN, msExchDynamicDLFilter,userPrincipalName,sAMAccountName
    2. AD RMS Server queries a DC in its local domain for the user’s primary group. I’m unsure as to why it does this. The debug logs say something about establishing immediate group membership. The following query is used:
      • Filter = ( & (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=com)(objectSid=PrimaryGroup’sSID) )
        Attributes = distinguishedName
    3. AD RMS Server generates a RAC with the ID field populated with the user’s email address and sends back to user.
  19. Client receives RAC from fabrikam.local AD RMS server and saves it to C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.
  20. Client contacts fabrikam.local CLC Service URL (https://adrms.fabrikam.local/_wmcs/licensing) and hits publish.asmx and requests a CLC.
  21. Fabrikam.local AD RMS Server creates a CLC and sends it to the user.
  22. Client receives CLC from fabrikam.local AD RMS serverand saves it to C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.
  23. Client contacts contoso.local AD RMS server and request EUL.
  24. AD RMS Server in contoso.local contacts global catalog in contoso.local and performs the following queries:
    1. Check to see if the user exists in contoso.local and has an email address of UserA@contoso.local. This check is essentially checking to see whether a user exists in the author’s forest that matches the consumer’s SID and the author’s email address. This check probably exists to see whether or not the consumer should be issued full rights (author rights) to the doc.
      • Filter: (& (| (objectSID=SIDOfAuthenticatedUser)(sIDHistory=SIDOfAuthenticatedUser)(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    2. Check to see if a user object exists in contoso.local with the UserC@fabrikam.local as an email address. This check is looking for a user object with both the UserC@fabrikam.local email address and the author’s email address (UserA@fabrikam.local). Again, probably exists for the same reason as the previous query.
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectcategory=computer)(objectcategory=person)))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    3. Check to see if the a distribution group or contact with msExchOriginatingForest attribute populated exists with the email address of UserC@fabrikam.local exists. This check is looking to see if the AD RMS server needs to examine group membership of a group local to the contoso.local domain or perform group expansion a group in another domain.
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    4. Run the same check as the previous step. Not sure why, debug log has the same message that it’s not a valid group.
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
  25. AD RMS Server in contoso.local consumes RAC and issues EUL.
  26. Client receives EUL and saves it to C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s