Unlocking the black box that is AD RMS Part 4

For this point forward, we will be using an AD RMS client that has already activated and obtained a rights account certificate.

Scenario:This scenario will involve protecting a document and assigning Read rights to Group1, which is a distribution group in fabrikam.local containing UserC. We will also create a contact object in contoso.local representing Group1. We will populate the mail attribute with Group1.fabrikam.local and the msExchOriginatingForest attribute with the value of fabrikam.local for this contact object. The msExchOriginating forest is an indicator to the AD RMS service that the contact object represents a group in another forest and that the AD RMS service needs to contact the AD RMS cluster in that forest to start group expansion.
Author: UserA@contoso.local
Consumer: UserC@contoso.local
Captures: Scenario 3 Captures

Let’s begin…

  1. Client searches registry to see if service connection point (SCP) has been hardcoded. It checks the following keys:
    • HKLMSoftwareMicrosoftMSDRMServiceLocationActivation – This is a hardcoded location for client activation.
    • HKLMSoftwareMicrosoftMSDRMServiceLocationEnterprise – This is the hardcoded location to obtain a CLC.
    • HKCUSoftwareMicrosoftOffice14.0CommonDRMServiceLocation – This is where previously discovered service locations are stored for Office 2010.
    • HKCUSoftwareMicrosoftOffice15.0CommonDRMServiceLocation – This is where previously discovered service locations are stored for Office 2013.
  2. Client contacts contoso.local AD RMS cluster via the licensing pipeline (https://adrms.contoso.local/_wmcs/licensing) stored in the protected document and requests a EUL. Client is redirected to license.asmx and acquisition of EUL begins.
  3. AD RMS Server in contoso.local makes the following queries to the global catalog in contoso.local:
    1. Check contoso.local to see if a user object has both the author’s email address (UserA.contoso.local) and the consumer’s email address (UserC@contoso.local).
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectcategory=computer)(objectcategory=person)))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    2. Check contoso.local to see if a distribution list or contact object with msOriginatingForest exists in contoso.local that matches UserC’s SID and has the group1@fabrikam.local email address. I’m not sure how this query would ever ring true, because the SID it is querying with is the SID it retrieved from the authenticated user. Maybe for SIDHistory?
      • Filter: (& (| (objectSID=)(sIDHistory=)(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    3. Check contoso.local to see if a user object exists with both UserC@fabrikam.local and Group1@fabrikam.local as an email address. This is checking to see whether a user object has both consumer’s email address and the distribution group email address.
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectcategory=computer)(objectcategory=person)))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    4. Check contoso.local to see whether or not Group1@fabrikam.local is a valid group. This query comes back as successful since Group1@fabrikam.local is a valid contact object with msOriginatingForest populated.
      • Filter: (& (| (mail=group1@fabrikam.local)(proxyAddresses=smtp:group1@fabrikam.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    5. Check contoso.local for consumer’s SID to see whether or not the consumer is a valid user in the contoso.local forest.
      • Filter: ( & ( | (objectSid=S-1-5-21-2502964694-2714205513-579894926-1109) (sIDHistory=S-1-5-21-2502964694-2714205513-579894926-1109) ) ( | (objectCategory=Computer) (objectCategory=Person) ) )
        Attributes: mail,objectSid,sIDHistory,proxyAddresses,memberOf,primaryGroupID,distinguishedName,uSNChanged,msExchOriginatingForest,msExchDynamicDLBaseDN, msExchDynamicDLFilter,userPrincipalName,sAMAccountName
  4. AD RMS Server in contoso.local consumer msOriginatingForest from Group1 contact object and query global catalog in fabrikam.local for AD RMS SCP.
  5. Domain controller in fabrikam.local responds with AD RMS SCP.
  6. AD RMS Server in contoso.local contacts certification pipeline in fabrikam.local AD RMS cluster (https://adrms.fabrikam.local/certification/) Server.asmx and requests a service location for group expansion.
  7. AD RMS Server in fabrikam.local responds with group expansion service URL (https://adrms.fabrikam.local/groupexpansion/groupexpansion.asmx).
  8. AD RMS Server in contoso.local contacts group expansion pipeline in fabrikam.local and request group expansion for Group1@fabrikam.local.
  9. AD RMS Server in fabrikam.local queries global catalog in fabrikam.local with the following queries:
    1. Query to find the SID of group1@fabrikam.local. This is done to gather the SID, which will then be used when checking group membership of the consumer.
      • Filter: (& (| (mail=group1@fabrikam.local(proxyAddresses=smtp:group1@fabrikam.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    2. Query to find the consumer’s user account (UserC@fabrikam.local) and then check to see if the SID of the distribution group (Group1@fabrikam.local) is included in the MemberOf attribute of the user.
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    3. Query to discover the consumer’s (UserC@fabrikam.local) primary group. Again, not sure why this is done.
      • Filter: ( & (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=fabrikam,DC=local) (objectSid=S-1-5-21-2502964694-2714205513-579894926-513) )
        Attributes: distinguishedName
  10. AD RMS Server in fabrikam.local returns message to AD RMS Server in contoso.local that consumer (UserC@fabrikam.local) is valid member of the distribution group (group1@fabrikam.local).
  11. AD RMS Server in contoso.local then performs the following queries against the global catalog in contoso.local.
    1. Check to see if contoso.local has a distribution group or contact object with msExchOriginatingForest populated that has a SID matching the consumer’s SID (UserC@fabrikam.local) and has an email address of the author (UserA@contoso.local).
      • Filter: (& (| (objectSID=)(sIDHistory=)(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    2. Check to see if contoso.local has a user object that has both the consumer email address (UserC@fabrikam.local) and author’s email address (UserA@contoso.local).
      • Filter: (& (| (mail=UserC@fabrikam.local)(proxyAddresses=smtp:UserC@fabrikam.local))(|(objectcategory=computer)(objectcategory=person)))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    3. Check to see if the object associated with the author’s email address (UserA@contoso.local) is a group or contact object with msOriginatingForest populated.
      • Filter: (& (| (mail=UserA@contoso.local)(proxyAddresses=smtp:UserA@contoso.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
    4. Run the same check as above to see if the object associated with the author’s email address (UserA@contoso.local) is a group or contact object with msOriginatingForest populated. Not sure why this is done twice.
      • Filter: (& (| (mail=UserA@contoso.local)(proxyAddresses=smtp:UserA@contoso.local))(|(objectCategory=group)(objectCategory=msExchDynamicDistributionList)(&(objectCategory=contact)(msExchOriginatingForest Present))))
        Attributes: ( mail )( objectSid )( sIDHistory )( proxyAddresses )( memberOf )( primaryGroupId )( distinguishedName )( uSNChanged )( msExchOriginatingForest )( msExchDynamicDLBaseDN )( msExchDynamicDLFilter )( userPrincipalName )( sAMAccountName )
  12. AD RMS Server in contoso.local issues EUL and sends back to client in fabrikam.local.
  13. Client receives EUL and saves it to C:UsersUserNameAppDataLocalMicrosoftDRM for Office 2010 and C:UsersUserNameAppDataLocalMicrosoftMISPC for Office 2013.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s