Today I’m back with more Azure Information Protection (AIP) goodness. Over the past five posts I’ve covered the use cases, concepts and migration paths. Today I’m going to get really nerdy and take a look behind the curtains at how the MSIPC client shipped with Office 2016 interacts with AIP . I’ll be examining the MSIPC client log and reviewing procmon and Fiddler captures. If the thought of examining log files and SOAP calls excites you, this is a post for you. Make sure to take a read through my previous posts to ensure you understand my lab infrastructure and configuration as well as key AIP concepts.
Baselining the Client
Like any good engineer, I wanted to baseline my machine to ensure the MSIPC client was functioning correctly. Recall that my clients are migrating from an on-premises AD RMS implementation to AIP. I haven’t completed my removal of AD RMS so the service connection point for on-premises AD RMS is still there and the migration scripts Microsoft provides are still in use. Let’s take a look at the registry entries that are set via the Migrate-Client and Migrate-User script. In my last post I covered the purpose of the two scripts. For the purposes of this post, I’m going to keep it brief and only cover registry entries applicable to the MSIPC client shipped with Office 2016.
- Condition: Runs each computer startup only if it detects it has not run before or the version variable in the script has been changed.
- Registry Entries Modified:
- Deletes HKLM\Software\Microsoft\MSIPC\ServiceLocation keys
- Deletes HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation key
- Deletes HKLM\Software\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key
- Deletes HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key
- Add Default value to HKLM\Software\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification key with data value pointing to AIP endpoint for tenant
- Add Default value to HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification key with data value pointing to AIP endpoint for tenant
- Add a value for the FQDN and single label URLs to on-premises AD RMS licensing pipeline to HKLM\Software\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key with data values pointing to AIP endpoints for tenant
- Add a value for the FQDN and single label URLs to on-premises AD RMS licensing pipeline to HKLM\Software\Wow6432NodeMicrosoft\MSIPC\ServiceLocation\LicensingRedirection key with data values pointing to AIP endpoints for tenant
- Condition: Runs each user logon only if it detects it has not run before or the version variable in the script has been changed.
- Registry Entries Modified:
- Deletes HKCU\Software\Microsoft\Office\16.0\Common\DRM key
- Deletes HKCU\Software\Classes\Local Settings\Software\Microsoft\MSIPC key
- Deletes HKCU\Software\Classes\Microsoft.IPViewerChildMenu\shell key
- Add DefaultServerUrl value to HKCU\Software\Microsoft\Office\16.0\Common\DRM key and set its data value to the AIP endpoint for the tenant
- Files Modified:
- Deletes the contents of the %localappdata%\Microsoft\MSIPC folder
A quick review of my client settings validates that all the necessary registry entries are in place and I have no issues consuming and created protected content.
Resetting the Client
If you have administered AD RMS in the past, you will be very familiar with how to re-bootstrap an RMS client. Microsoft has made that entire process easier by incorporating a “reset” function into the AIP client. The function can be accessed in Microsoft Office by hitting the drop down arrow for the AIP icon on the toolbar and selecting the Help and Feedback option.
After clicking the Help and Feedback option, a new window pops up where you can select the Reset Settings option to which performs a series of changes to the registry, deletions of RMS licenses, and AIP metadata. Lastly, I log out of the machine.
Bootstrapping the Client with Azure Information Protection
After logging back in I start up Fiddler, open Microsoft Word, and attempt to open a file that was protected with my AD RMS cluster. The file opens successfully.
One thing to note is if you’re using Windows 10 and Microsoft Edge like I was, you’ll need to take the extra steps outlined here to successfully capture due to the AppContainer Isolation feature added back in Windows 8. If you do not take those extra steps, you’ll get really odd behavior. Microsoft Edge will fail any calls to intranet endpoints (such as AD FS in my case) by saying it can’t contact the proxy. Trying with Internet Explorer will simply cause Fiddler to fail to make the calls and to throw a DNS error. Suffice to say, I spent about 20 minutes troubleshooting the issue before I remembered Fiddler’s dialog box that pops up every new install about AppContainer and Microsoft Edge.
The first thing we’re going to look at is the MSIPC log files which keep track of the client activity. I have to give an applause to whichever engineer over at Microsoft thought it would be helpful to include such a detailed log. If you’ve administered on-premises AD RMS in the past on previous versions of Microsoft Office, you’ll know the joys (pain?) of client side tracing with DebugView.
When we pop open the log we get some great detail as to the client behavior. We can see the client read a number of registry entries. The first thing we see is the client discover that is not initialized so it calls an API to bootstrap the user. Notice in the below that it has identified my user and it’s mentioning OAuth as a method for authentication to the endpoint.
Following this we have a few more registry queries to discover the version of the operating system. We then have our first HTTP session opened by the client. I’m pretty sure this session is the initial user authentication to Azure AD in order to obtain a bearer access token for the user to call further APIs
Bouncing over to Fiddler we can check out the authentication process. We can see the machine reach out to Azure AD (login.windows.net), perform home realm discovery which Azure AD determines that geekintheweeds.com is configured for federated authentication. The client makes the connection to the AD FS server where the user is seamlessly authenticated via Kerberos. The windowstransport endpoint is called which supports the WS-Trust 1.3 active profile. In an WS-Trust active flow, the client initiates the request (hence it’s active) vs the passive flow where the service provider initiates the flow. This is how Office applications support modern (aka federated) authentication.
After the assertion is obtained, it’s posted to the /common/oauth2/token endpoint at login.windows.net. The assertion is posted within a request for an access token, refresh token, and id token request using the saml1_1-bearer token grant type for the Azure RMS endpoint.
The machine is returned an access token, refresh token, and id token. We can see the token returned is a bearer token allowing client to impersonate my user moving forward.
Dumping the access token into the Fiddler TextWizard and decoding the Base64 gives us the details of the token. Within the token we can see an arm (authenticated method reference) of wia indicating the user authenticated using Windows authentication. A variety of information about the user is included in the token including UPN, first name, and last name.
I’m fairly certain the tokens are cached to a flat file based upon some of the data I did via procmon while the bootstrap process initiated. You can see the calls to create the file and write to it below.
After the tokens are obtained and cached we see from the log file that the MSIPC client then discovers it doesn’t have machine certificates. It goes through the process of creating the machine certificates.
We now see the MISPC client attempts to query for the SRV record Microsoft introduced with Office 2016 to help with migrations from AD RMS. The client then attempts discovery of service by querying the RMS-specific registry keys in the HKLM hive and comes across the information we hardcoded into the machine via the migration scripts. It uses this information to make a request to the non-authenticated endpoint of https://<tenant_specific>/_wmcs/certification/server.asmx.
Bouncing back to Fiddler and continuing the conversation we can see a few different connections are created. We see one to api.informationprotection.azure.com, another to mobile.pipe.aria.microsoft.com, and yet another to the AIP endpoint for my tenant.
I expected the conversation between api.informationprotection.azure.com and the AIP endpoint for my tenant. The connection to mobile.pipe.aria.microsoft.com interested me. I’m not sure if it was randomly captured or if it was part of the consumption of protected content. I found a few Reddit posts where people were theorizing it has something to do with how Microsoft consumes telemetry from Microsoft Office. As you could probably guess, this piqued my interest to know what exactly Microsoft was collecting.
We can see from the Fiddler captures that an application on the client machine is posting data to https://mobile.pipe.aria.microsoft.com/Collector/3.0/. Examination of the request header shows the user agent as AriaSDK Client and the sdk-version of ACT-Windows Desktop. This looks to be the method in which the telemetry agent for Office collects its information.
If we decode the data within Fiddler and dump both sets of data to Notepad we get some insight into what’s being pulled. Most of the data is pretty generic in that there is information about the version of Word I’m using, the operating system version, information that my machine is a virtual machine, and some activity IDs which must relate to something MS holds on their end. The only data point I found interesting was that my tenant ID is included in it. Given tenant id isn’t exactly a secret, it’s still interesting it’s being collected. It must be fascinating to see this telemetry at scale. Interesting stuff either way.
Continuing the conversation, let’s examine the chatter with my tenant’s AIP endpoint since the discovery was requested by the MSIPC client. We see a SOAP request of GetServerInfo posted to https://<tenant_specific>/_wmcs/certification/server.asmx. The response we receive from the endpoint has all the information our RMS client will need to process the request. My deep dive into AD RMS was before I got my feet with Fiddler so I’ve never examined the conversations with the SOAP endpoints within AD RMS. Future blog post maybe? Either way, I’ve highlighted the interesting informational points below. We can see that the service is identifying itself as RMS Online, has a set of features that cater to modern authentication, runs in Cryptomode 2, and supports a variety of authentication methods. I’m unfamiliar with the authentication types beyond X509 and OAuth 2. Maybe carry overs from on-prem? Something to explore in the future. The data boxed in red are all the key endpoints the RMS client needs to know to interact with the service moving forward. Take note the request at this endpoint doesn’t require any authentication. That comes in later requests.
After the response is received the MSIPC writes a whole bunch of registry entries to the HKCU hive for the user to cache all the AIP endpoint information it discovered. It then performs a service discovery against the authenticated endpoint using its bearer token it cached to the tokencache file.
Once the information is written to the registry, the client initiates a method called GetCertAndLicURLsWithNewSD. It uses the information it discovered previously to query the protected endpoint https://<tenant_specific>/_wmcs/oauth2/servicediscovery/servicediscovery.asmx. Initially it receives a 401 unauthorized back with instructions to authenticate uses a bearer token.
The client tries again this time providing the bearer token it obtained earlier and placed in the tokencache file. The SOAP action of ServiceDiscoveryForUser is performed and the client requests the specific endpoints for certification, licensing, and the new tracking portal feature of AIP.
The SOAP response contains the relevant service endpoints and user for which the query applied to.
The MSIPC client then makes a call to /_wmcs/oauth2/certification/server.asmx with a SOAP request of GetLicensorCertificate. I won’t break that one down response but it returns the SLC certificate chain in XrML format. For my tenant this included both the new SLC I generated when I migrated to AIP as well as the SLC from my on-premises AD RMS cluster that I uploaded.
The MISPC log now shows a method called GetNewRACandCLC being called which is used to obtain a RAC and CLC. This is done by making a call to the certification pipeline.
The call to /_wmcs/oauth2/certification/certification.asmx does exactly as you would expect and calls the SOAP request of Certify. This included my user’s RAC, and both SLCs and certificates in that chain. The one interesting piece in the response was a Quota tag as seen below. I received back five certificates, so maybe there is a maximum that can be returned? If you have more than 4 on-premises AD RMS clusters you’re consolidating to AIP, you might be in trouble. 🙂
The MISPC log captures the successful certification and logs information about the RAC.
Next up the client attempts to obtain a CLC by calling continuing with the GetNewRACandCLC method. It first calls the /_wmcs/licensing/server.asmx pipeline and makes a GetServerInfo SOAP request which returns the same information we saw in the last request to server.asmx. This request isn’t authenticated and the information returned is written to the HKCU hive for the user.
The service successfully returns the users CLC. The last step in the process is the MSIPC service requests the RMS templates associated with the user. You can see the template that is associated custom AIP classification label I created.
Last but not least, the certificates are written to the %LOCALAPPDATA%\Microsoft\MSIPC directory.
Very cool stuff right? I find it interesting in that the MSIPC client performs pretty much the same way it performs with on-premises exempting some of the additional capabilities introduced such as the search for the SRV DNS records and the ability to leverage modern authentication via the bearer token. The improved log is a welcome addition and again, stellar job to whatever engineer at Microsoft thought it would be helpful to include all the detail that is included in that log.
If you’ve used AD RMS or plan to use AIP and haven’t peeked behind the curtains I highly recommend it. Seeing how all the pieces fit together and how a relatively simple web service and a creative use of certificates can provide such a robust and powerful security capability will make your appreciate the service AD RMS tried to be and how far ahead of its time it was.
I know I didn’t cover the calls to the AIP-classification specific web calls, but I’ll explore that in my next entry. Hopefully you enjoyed nerding out on this post as much as I did. Have a great week and see you next post!