The Evolution of AD RMS to Azure Information Protection – Part 7 – Deep Dive into cross Azure AD tenant consumption

Posted on May 9, 2018 by mattfeltonma

Each time I think I’ve covered what I want to for Azure Information Protection (AIP), I think of another fun topic to explore. In this post I’m going to look at how AIP can be used to share information with users that exist outside your tenant. We’ll be looking at the scenario where an organization has a requirement to share protected content with another organization that has an Office 365 tenant.

Due to my requirements to test access from a second tenant, I’m going to supplement the lab I’ve been using. I’m adding to the mix my second Azure AD tenant at journeyofthegeek.com. Specific configuration items to note are as follows:

The tenant’s custom domain of journeyofthegeek.com is an Azure AD (AAD)-managed domain.
I’ve created two users for testing. The first is named Homer Simpson (homer.simpson@journeyofthegeek.com) and the second is Bart Simpson (bart.simpson@journeyofthegeek.com).
Each user have been licensed with Office 365 E3 and Enterprise Mobility + Security E5 licenses.
Three mail-enabled security groups have been created. The groups are named The Simpsons (thesimpsons@journeyofthegeek.com), JOG Accounting (jogaccounting@journeyofthegeek.com), and JOG IT (jogit@journeyofthegeek.com).
Homer Simpson is a member of The Simpsons and JOG Accounting while Bart Simpson is a member of The Simpsons and JOG IT.
Two additional AIP policies have been created in addition to the Global policy. One policy is named JOG IT and one is named JOG Accounting.
The Global AIP policy has an additional label created named PII that enforces protection. The label is configured to detect at least one occurrence of a US social security number. The document is protection policy allows only members of the The Simpsons group to the role of viewer.
The JOG Accounting and JOG IT AIP policies have both been configured with an additional label of either JOG Accounting or JOG IT. A sublabel for each label has also been created which enforces protection and restricts members of the relevant departmental group to the role of viewer.
I’ve repurposed the GIWCLIENT2 machine and have created two local users named Bart Simpson and Homer Simpson.

Once I had my tenant configuration up and running, I initialized Homer Simpson on GIWCLIENT2. I already had the AIP Client installed on the machine, so upon first opening Microsoft Word, the same bootstrapping process I described in my previous post occurred for the MSIPC client and the AIP client. Notice that the document has had the Confidential \ All Employees label applied to the document automatically as was configured in the Global AIP policy. Notice also the Custom Permissions option which is presented to the user because I’ve enabled the appropriate setting in the relevant AIP policies.

I’ll be restricting access to the document by allowing users in the geekintheweeds.com organization to hold the Viewer role. The geekintheweeds.com domain is associated with my other Azure AD tenant that I have been using for the lab for this series of posts. First thing I do is change the classification label from Confidential \ All Employees to General. That label is a default label provided by Microsoft which has an RMS Template applied that restricts viewers to users within the tenant.

One interesting finding I discovered through my testing is that the user can go through the process of protecting with custom permissions using a label that has a pre-configured template and the AIP client won’t throw any errors, but the custom permissions won’t be applied. This makes perfect sense from a security perspective, but it would be nice to inform the user with an error or warning. I can see this creating unnecessary help desk calls with how it’s configured now.

When I attempt to change my classification label to General, I receive a prompt requiring me to justify the drop in classification. This is yet another setting I’ve configured in my Global AIP policy. This seems to be a standard feature in most data classification solutions from what I’ve observed in another major vendor.

After successfully classifying the document with the General label protection is removed from the document. At this point I can apply my custom permissions as seen below.

I repeated the process for another protected doc named jog_protected_for_Ash_Williams.docx with permissions restricted to ash.williams@geekintheweeds.com. I packaged both files into an email and sent them to Ash Williams who is a user in the Geek In The Weeds tenant. Keep in mind the users in the Geek In The Weeds tenant are synchronized from a Windows Active Directory domain and use federated authentication.

After opening Outlook the message email from Homer Simpson arrives in Ash William’s inbox. At this point I copied the files to my desktop, closed Outlook, opened Microsoft Word and used the “Reset Settings” options of the AIP client, and signed out of my Office profile.

At this point I started Fiddler and opened one of the Microsoft Word document. Microsoft Word pops-up a login prompt where I type in my username of ash.williams@geekintheweeds.com and I’m authenticated to Office 365 through the standard federated authentication flow. The document then pops open.

Examining the Fiddler capture we see a lot of chatter. Let’s take a look at this in chunks, first addressing the initial calls to the AIP endpoint.

If you have previous experience with the MSIPC client in the AD RMS world you’ll recall that it makes its calls in the following order:

Searches HKLM registry hive
Searches HKCU registry hive
Web request to the RMS licensing pipeline for the RMS endpoint listed in the metadata attached to the protected document

In my previous deep dives into AD RMS we observed this behavior in action. In the AIP world, it looks like the MSIPC client performs similarly. The endpoint we see it first contacting is the Journey of the Geek which starts with 196d8e.

The client first sends an unauthenticated HTTP GET to the Server endpoint in the licensing pipeline. The response the server gives is a list of available SOAP functions which include GetLicensorCertificate and GetServerInfo as seen below.

The client follows up the actions below:

Now that the client knows the endpoint supports the GetServerInfo SOAP function, it sends an unauthenticated HTTP POST which includes the SOAP action of GetServerInfo. The AIP endpoint returns a response which includes the capabilities of the AIP service and the relevant endpoints for certification and the like.
It uses that information received from the previous request to send an unauthenticated HTTP POST which includes the SOAP action of ServiceDiscoveryForUser. The service returns a 401.

At this point the client needs to obtain a bearer access token to proceed. This process is actually pretty interesting and warrants a closer look.

Let’s step through the conversation:

We first see a connection opened to odc.officeapps.live.com and an unauthenticated HTTP GET to the /odc/emailhrd/getfederationprovider URI with query strings of geekintheweeds.com. This is a home realm discovery process trying to the provider for the user’s email domain.
My guess is this is MSAL In action and is allowing support for multiple IdPs like Azure AD, Microsoft Live, Google, and the like. I’ll be testing this theory in a later post where I test consumption by a Google user.

The server responds with a number of headers containing information about the token endpoints for Azure AD (since this is domain associated with an Azure AD tenant.)
A connection is then opened to odc.officeapps.live.com and an unauthenticated HTTP GET to the /odc/emailhrd/getidp with the email address for my user ash.williams@geekintheweeds.com. The response is interesting in that I would have thought it would return the user’s tenant ID. Instead it returns a JSON response of OrgId.

Since I’m a nosey geek, I decided to unlock the session for editing. First I put in the email address associated with a Microsoft Live. Instead of OrgId it returned MSA which indicates it detects it as being a Microsoft Live account. I then plugged in a @gmail.com account to see if I would get back Google but instead I received back neither. OrgId seems to indicate that it’s an account associated with an Azure AD tenant. Maybe it would perform alternative steps depending on whether it’s MSA or Azure AD in future steps? No clue.
Next, a connection is made to oauth2 endpoint for the journeyofthegeek.com tenant. The machine makes an unathenticated requests an access token for the https://api.aadrm.com/ in order to impersonate Ash Williams. Now if you know your OAuth, you know the user needs to authenticate and approve the access before the access token can be issued. The response from the oauth2 endpoint is a redirect over to the AD FS server so the user can authenticate.
After the user successfully authenticates, he is returned a security token and redirected back to login.microsoftonline.com where the assertion is posted and the user is successfully authenticated and is returned an authorization code.
The machine then takes that authorization code and posts it to the oauth2 endpoint for my journeyofthegeek.com tenant. It receives back an Open ID Connect id token for ash.williams, a bearer access token, and a refresh token for the Azure RMS API.

Decoding the bearer access token we come across some interesting information. We can see the audience for the token is the Azure RMS API, the issuer of the token is the tenant id associated with journeyofthegeek.com (interesting right?), and the identity provider for the user is the tenant id for geekintheweeds.com.
After the access token is obtained the machine closes out the session with login.microsoftonline.com and of course dumps a bunch of telemetry (can you see the trend here?).
A connection is again made to odc.officeapps.live.com and the /odc/emailhrd/getfederationprovider URI with an unauthenticated request which includes a query string of geekintheweeds.com. The same process as before takes place.

Exhausted yet? Well it’s about to get even more interesting if you’re an RMS nerd like myself.

Let’s talk through the sessions above.

A connection is opened to the geekintheweeds.com /wmcs/certification/server.asmx AIP endpoint with an unauthenticated HTTP POST and a SOAP action of GetServerInfo. The endpoint responds as we’ve observed previously with information about the AIP instance including features and endpoints for the various pipelines.
A connection is opened to the geekintheweeds.com /wmcs/oauth2/servicediscovery/servicediscovery.asmx AIP endpoint with an unauthenticated HTTP POST and a SOAP action of ServiceDiscoveryForUser. We know from the bootstrapping process I covered in my last post, that this action requires authentication, so we see the service return a 401.
A connection is opened to the geekintheweeds.com /wmcs/oauth2/certification/server.asmx AIP endpoint with an unauthenticated HTTP POST and SOAP action of GetLicensorCertificate. The SLC and its chain is returned to the machine in the response.
A connection is opened to the geekintheweeds.com /wmcs/oauth2/certification/certification.asmx AIP endpoint with an unauthenticated HTTP POST and SOAP action of Certify. Again, we remember from my last post that this requires authentication, so the service again responds with a 401.

What we learned from the above is the bearer access token the client obtained earlier isn’t attended for the geekintheweeds.com AIP endpoint because we never see it used. So how will the machine complete its bootstrap process? Well let’s see.

A connection is opened to the journeyofthegeek.com /wmcs/oauth2/servicediscovery/servicediscovery.asmx AIP endpoint with an unauthenticated HTTP POST and SOAP action of ServiceDiscoveryForUser. The service returns a 401 after which the client makes the same connection and HTTP POST again, but this time including its bearer access token it retrieved earlier. The service provides a response with the relevant pipelines for the journeyofthegeek.com AIP instance.
A connection is opened to the journeyofthegeek.com /wmcs/oauth2/certification/server.asmx AIP endpoint with an authenticated (bearer access token) HTTP POST and SOAP action of GetLicensorCertificate. The service returns the SLC and its chain.
A connection is opened to the journeyofthegeek.com /wmcs/oauth2/certification/certification.asmx AIP endpoint with an authenticated (bearer access token) HTTP POST and SOAP action of Certify. The service returns a RAC for the ash.williams@geekintheweeds.com along with relevant SLC and chain. Wait what? A RAC from the journeyofthegeek.com AIP instance for a user in geekintheweeds.com? Well folks this is supported through RMS’s support for federation. Since all Azure AD’s in a given offering (commercial, gov, etc) come pre-federated, this use case is supported.
A connection is opened to the journeyofthegeek.com /wmcs/licensing/server.asmx AIP endpoint with an uauthenticated HTTP POST and SOAP action of GetServerInfo. We’ve covered this enough to know what’s returned.
A connection is opened to the journeyofthegeek.com /wmcs/licensing/publish.asmx AIP endpoint with an authenticated (bearer access token) HTTP POST and SOAP action of GetClientLicensorandUserCertificates. The server returns the CLC and EUL to the user.

After this our protected document opens in Microsoft Word.

Pretty neat right? Smart move by Microsoft to take advantage and build upon of the federated capabilities built into AD RMS. This is another example showing just how far ahead of their game the product team for AD RMS was. Heck, there are SaaS vendors that still don’t support SAML, let alone on-premises products from 10 years ago.

In the next few posts (can you tell I find RMS fascinating yet?) of this series I’ll explore how Microsoft has integrated AIP into OneDrive, SharePoint Online, and Exchange Online.

Have a great week!

The Evolution of AD RMS to Azure Information Protection – Part 6 – Deep Dive into Client Bootstrapping

Posted on May 1, 2018 by mattfeltonma

Today I’m back with more Azure Information Protection (AIP) goodness. Over the past five posts I’ve covered the use cases, concepts and migration paths. Today I’m going to get really nerdy and take a look behind the curtains at how the MSIPC client shipped with Office 2016 interacts with AIP . I’ll be examining the MSIPC client log and reviewing procmon and Fiddler captures. If the thought of examining log files and SOAP calls excites you, this is a post for you. Make sure to take a read through my previous posts to ensure you understand my lab infrastructure and configuration as well as key AIP concepts.

Baselining the Client

Like any good engineer, I wanted to baseline my machine to ensure the MSIPC client was functioning correctly. Recall that my clients are migrating from an on-premises AD RMS implementation to AIP. I haven’t completed my removal of AD RMS so the service connection point for on-premises AD RMS is still there and the migration scripts Microsoft provides are still in use. Let’s take a look at the registry entries that are set via the Migrate-Client and Migrate-User script. In my last post I covered the purpose of the two scripts. For the purposes of this post, I’m going to keep it brief and only cover registry entries applicable to the MSIPC client shipped with Office 2016.

Migrate-Client
- Condition: Runs each computer startup only if it detects it has not run before or the version variable in the script has been changed.
- Registry Entries Modified:
  - Deletes HKLM\Software\Microsoft\MSIPC\ServiceLocation keys
  - Deletes HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation key
  - Deletes HKLM\Software\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key
  - Deletes HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key
  - Add Default value to HKLM\Software\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification key with data value pointing to AIP endpoint for tenant
  - Add Default value to HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification key with data value pointing to AIP endpoint for tenant
  - Add a value for the FQDN and single label URLs to on-premises AD RMS licensing pipeline to HKLM\Software\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key with data values pointing to AIP endpoints for tenant
  - Add a value for the FQDN and single label URLs to on-premises AD RMS licensing pipeline to HKLM\Software\Wow6432NodeMicrosoft\MSIPC\ServiceLocation\LicensingRedirection key with data values pointing to AIP endpoints for tenant
Migrate-User
- Condition: Runs each user logon only if it detects it has not run before or the version variable in the script has been changed.
- Registry Entries Modified:
  - Deletes HKCU\Software\Microsoft\Office\16.0\Common\DRM key
  - Deletes HKCU\Software\Classes\Local Settings\Software\Microsoft\MSIPC key
  - Deletes HKCU\Software\Classes\Microsoft.IPViewerChildMenu\shell key
  - Add DefaultServerUrl value to HKCU\Software\Microsoft\Office\16.0\Common\DRM key and set its data value to the AIP endpoint for the tenant
- Files Modified:
  - Deletes the contents of the %localappdata%\Microsoft\MSIPC folder

A quick review of my client settings validates that all the necessary registry entries are in place and I have no issues consuming and created protected content.

Resetting the Client

If you have administered AD RMS in the past, you will be very familiar with how to re-bootstrap an RMS client. Microsoft has made that entire process easier by incorporating a “reset” function into the AIP client. The function can be accessed in Microsoft Office by hitting the drop down arrow for the AIP icon on the toolbar and selecting the Help and Feedback option.

After clicking the Help and Feedback option, a new window pops up where you can select the Reset Settings option to which performs a series of changes to the registry, deletions of RMS licenses, and AIP metadata. Lastly, I log out of the machine.

Bootstrapping the Client with Azure Information Protection

After logging back in I start up Fiddler, open Microsoft Word, and attempt to open a file that was protected with my AD RMS cluster. The file opens successfully.

One thing to note is if you’re using Windows 10 and Microsoft Edge like I was, you’ll need to take the extra steps outlined here to successfully capture due to the AppContainer Isolation feature added back in Windows 8. If you do not take those extra steps, you’ll get really odd behavior. Microsoft Edge will fail any calls to intranet endpoints (such as AD FS in my case) by saying it can’t contact the proxy. Trying with Internet Explorer will simply cause Fiddler to fail to make the calls and to throw a DNS error. Suffice to say, I spent about 20 minutes troubleshooting the issue before I remembered Fiddler’s dialog box that pops up every new install about AppContainer and Microsoft Edge.

The first thing we’re going to look at is the MSIPC log files which keep track of the client activity. I have to give an applause to whichever engineer over at Microsoft thought it would be helpful to include such a detailed log. If you’ve administered on-premises AD RMS in the past on previous versions of Microsoft Office, you’ll know the joys (pain?) of client side tracing with DebugView.

When we pop open the log we get some great detail as to the client behavior. We can see the client read a number of registry entries. The first thing we see is the client discover that is not initialized so it calls an API to bootstrap the user. Notice in the below that it has identified my user and it’s mentioning OAuth as a method for authentication to the endpoint.

Following this we have a few more registry queries to discover the version of the operating system. We then have our first HTTP session opened by the client. I’m pretty sure this session is the initial user authentication to Azure AD in order to obtain a bearer access token for the user to call further APIs

Bouncing over to Fiddler we can check out the authentication process. We can see the machine reach out to Azure AD (login.windows.net), perform home realm discovery which Azure AD determines that geekintheweeds.com is configured for federated authentication. The client makes the connection to the AD FS server where the user is seamlessly authenticated via Kerberos. The windowstransport endpoint is called which supports the WS-Trust 1.3 active profile. In an WS-Trust active flow, the client initiates the request (hence it’s active) vs the passive flow where the service provider initiates the flow. This is how Office applications support modern (aka federated) authentication.

After the assertion is obtained, it’s posted to the /common/oauth2/token endpoint at login.windows.net. The assertion is posted within a request for an access token, refresh token, and id token request using the saml1_1-bearer token grant type for the Azure RMS endpoint.

The machine is returned an access token, refresh token, and id token. We can see the token returned is a bearer token allowing client to impersonate my user moving forward.

Dumping the access token into the Fiddler TextWizard and decoding the Base64 gives us the details of the token. Within the token we can see an arm (authenticated method reference) of wia indicating the user authenticated using Windows authentication. A variety of information about the user is included in the token including UPN, first name, and last name.

I’m fairly certain the tokens are cached to a flat file based upon some of the data I did via procmon while the bootstrap process initiated. You can see the calls to create the file and write to it below.

After the tokens are obtained and cached we see from the log file that the MSIPC client then discovers it doesn’t have machine certificates. It goes through the process of creating the machine certificates.

We now see the MISPC client attempts to query for the SRV record Microsoft introduced with Office 2016 to help with migrations from AD RMS. The client then attempts discovery of service by querying the RMS-specific registry keys in the HKLM hive and comes across the information we hardcoded into the machine via the migration scripts. It uses this information to make a request to the non-authenticated endpoint of https://<tenant_specific>/_wmcs/certification/server.asmx.

Bouncing back to Fiddler and continuing the conversation we can see a few different connections are created. We see one to api.informationprotection.azure.com, another to mobile.pipe.aria.microsoft.com, and yet another to the AIP endpoint for my tenant.

I expected the conversation between api.informationprotection.azure.com and the AIP endpoint for my tenant. The connection to mobile.pipe.aria.microsoft.com interested me. I’m not sure if it was randomly captured or if it was part of the consumption of protected content. I found a few Reddit posts where people were theorizing it has something to do with how Microsoft consumes telemetry from Microsoft Office. As you could probably guess, this piqued my interest to know what exactly Microsoft was collecting.

We can see from the Fiddler captures that an application on the client machine is posting data to https://mobile.pipe.aria.microsoft.com/Collector/3.0/. Examination of the request header shows the user agent as AriaSDK Client and the sdk-version of ACT-Windows Desktop. This looks to be the method in which the telemetry agent for Office collects its information.

If we decode the data within Fiddler and dump both sets of data to Notepad we get some insight into what’s being pulled. Most of the data is pretty generic in that there is information about the version of Word I’m using, the operating system version, information that my machine is a virtual machine, and some activity IDs which must relate to something MS holds on their end. The only data point I found interesting was that my tenant ID is included in it. Given tenant id isn’t exactly a secret, it’s still interesting it’s being collected. It must be fascinating to see this telemetry at scale. Interesting stuff either way.

Continuing the conversation, let’s examine the chatter with my tenant’s AIP endpoint since the discovery was requested by the MSIPC client. We see a SOAP request of GetServerInfo posted to https://<tenant_specific>/_wmcs/certification/server.asmx. The response we receive from the endpoint has all the information our RMS client will need to process the request. My deep dive into AD RMS was before I got my feet with Fiddler so I’ve never examined the conversations with the SOAP endpoints within AD RMS. Future blog post maybe? Either way, I’ve highlighted the interesting informational points below. We can see that the service is identifying itself as RMS Online, has a set of features that cater to modern authentication, runs in Cryptomode 2, and supports a variety of authentication methods. I’m unfamiliar with the authentication types beyond X509 and OAuth 2. Maybe carry overs from on-prem? Something to explore in the future. The data boxed in red are all the key endpoints the RMS client needs to know to interact with the service moving forward. Take note the request at this endpoint doesn’t require any authentication. That comes in later requests.

After the response is received the MSIPC writes a whole bunch of registry entries to the HKCU hive for the user to cache all the AIP endpoint information it discovered. It then performs a service discovery against the authenticated endpoint using its bearer token it cached to the tokencache file.

Once the information is written to the registry, the client initiates a method called GetCertAndLicURLsWithNewSD. It uses the information it discovered previously to query the protected endpoint https://<tenant_specific>/_wmcs/oauth2/servicediscovery/servicediscovery.asmx. Initially it receives a 401 unauthorized back with instructions to authenticate uses a bearer token.

The client tries again this time providing the bearer token it obtained earlier and placed in the tokencache file. The SOAP action of ServiceDiscoveryForUser is performed and the client requests the specific endpoints for certification, licensing, and the new tracking portal feature of AIP.

The SOAP response contains the relevant service endpoints and user for which the query applied to.

The MSIPC client then makes a call to /_wmcs/oauth2/certification/server.asmx with a SOAP request of GetLicensorCertificate. I won’t break that one down response but it returns the SLC certificate chain in XrML format. For my tenant this included both the new SLC I generated when I migrated to AIP as well as the SLC from my on-premises AD RMS cluster that I uploaded.

The MISPC log now shows a method called GetNewRACandCLC being called which is used to obtain a RAC and CLC. This is done by making a call to the certification pipeline.

The call to /_wmcs/oauth2/certification/certification.asmx does exactly as you would expect and calls the SOAP request of Certify. This included my user’s RAC, and both SLCs and certificates in that chain. The one interesting piece in the response was a Quota tag as seen below. I received back five certificates, so maybe there is a maximum that can be returned? If you have more than 4 on-premises AD RMS clusters you’re consolidating to AIP, you might be in trouble. 🙂

The MISPC log captures the successful certification and logs information about the RAC.

Next up the client attempts to obtain a CLC by calling continuing with the GetNewRACandCLC method. It first calls the /_wmcs/licensing/server.asmx pipeline and makes a GetServerInfo SOAP request which returns the same information we saw in the last request to server.asmx. This request isn’t authenticated and the information returned is written to the HKCU hive for the user.

The service successfully returns the users CLC. The last step in the process is the MSIPC service requests the RMS templates associated with the user. You can see the template that is associated custom AIP classification label I created.

Last but not least, the certificates are written to the %LOCALAPPDATA%\Microsoft\MSIPC directory.

Conclusion

Very cool stuff right? I find it interesting in that the MSIPC client performs pretty much the same way it performs with on-premises exempting some of the additional capabilities introduced such as the search for the SRV DNS records and the ability to leverage modern authentication via the bearer token. The improved log is a welcome addition and again, stellar job to whatever engineer at Microsoft thought it would be helpful to include all the detail that is included in that log.

If you’ve used AD RMS or plan to use AIP and haven’t peeked behind the curtains I highly recommend it. Seeing how all the pieces fit together and how a relatively simple web service and a creative use of certificates can provide such a robust and powerful security capability will make your appreciate the service AD RMS tried to be and how far ahead of its time it was.

I know I didn’t cover the calls to the AIP-classification specific web calls, but I’ll explore that in my next entry. Hopefully you enjoyed nerding out on this post as much as I did. Have a great week and see you next post!

The Evolution of AD RMS to Azure Information Protection – Part 2 – Architecture

Posted on March 27, 2018 by mattfeltonma

Hi there. Welcome to the second post in my series exploring the evolution of Active Directory Rights Management Service (AD RMS) into Azure Information Protection (AIP). In the first post of the series I gave an brief overview of the important role AIP plays in Microsoft’s Cloud App Security (CAS) offering. I also covered the details of the lab I will be using for this series. Take a few minutes to read the post to familiarize yourself with the lab details because it’ll be helpful as we progress through the series.

I went back and forth as to what topic I wanted to cover for the second post and decided it would be useful to start at the high level comparing the components in a typical Windows AD RMS implementation to those used when consuming AIP. I’m going to keep the explanation of each component brief to avoid re-creating existing documentation, but I will provide links to official Microsoft document for each component I mention. With that intro, let’s begin.

The infrastructure required in an AD RMS implementation is pretty minimal but the complexity is in how all of the components work together to provide the solution. At a very high level it is similar to any other web-based application consisting of a web server, application code, and a data backend. The web-based application integrated with a directory to authenticate users and get information about the user that is used in authorization decisions. In the AD RMS world the components map to the following products:

Web Server – Machine running Windows Server with Microsoft Internet Information Services and Microsoft Message Queuing Service
Application Code – Code installed onto the machine after adding the AD RMS role to a machine running Windows Server
Data Backend – Machine running Windows Server with Microsoft SQL Server running on it hosting configuration and logging database (optionally Windows Internal Database (WID) for test environments)
Directory – Windows Active Directory provides authentication, user information used for authorization, and stores additional AD RMS configuration data (Service Connection Point)

Nodes providing the AD RMS service are organized into a logical container called an AD RMS Cluster. Like most web applications AD RMS can be scaled out by adding more nodes to the cluster to improve performance and provide high availability (HA). If using MS SQL for the data backend, traditional methods of HA can be used such as SQL clustering, database mirroring, and log shipping. You can plop your favorite load balancer in front of the solution to help distribute the application load and keep track of the health of the nodes providing the service.

Beyond the standard web-based application components we have some that are specific to AD RMS. Let’s take a deeper look at them.

AD RMS Cluster Key
The AD RMS cluster key is the most critical part of an AD RMS implementation, the “key to the kingdom”, as it is used to sign the Server Licensor Certificate (SLC) which contains the corresponding public key. The SLC is used to sign certificates created by AD RMS that allow for consumption of AD RMS-protected content as well as being used by AD RMS clients to encrypt the content key when a document is newly protected by AD RMS.

The AD RMS cluster key is shared by all nodes that are members of the AD RMS cluster. It can be stored within the MS SQL database/WID or on a supported hardware security module for improved security.
AD RMS Client / AD RMS-Integrated Server Applications
Applications are great, but you need a method to consume them. Once content is protected by AD RMS it can only be consumed by an application capable of communicating with AD RMS. In most cases this is accomplished by using an application that has been written to use the AD RMS Client. The AD RMS Client comes pre-installed on Windows Vista and up desktop operating systems and Windows Server 2008 and up server operating systems.

The AD RMS client performs tasks such as bootstrapping (sometimes referred to as activation). I won’t go into the details because I wouldn’t do near as well job as Dan does in the bootstrapping link. In short it generates some keys and obtains some certificates from the AD RMS service that facilitate protecting and consuming content.

AD RMS-integrated server applications such as Microsoft SharePoint Server and Microsoft Exchange Server provide server-level services that leverage the capabilities provided by AD RMS to protect data such as files stored in a SharePoint library or emails sent through Microsoft Exchange.
AD RMS Policy Templates
While not a component of the system architecture, AD RMS Policy Templates are an AD RMS concept that deserves mention in this discussion. The templates can be created by an organization to provide a standard set of use rights applicable to a type of data. Common use cases are having multiple templates created for different data types. For example, you may want one data type that allows trusted partners to view the document but not print or forward it while another template may restrict view rights to the accounting department.

In AD RMS the policies are stored in the AD RMS database but are accessible via a call to the web service. Optionally they can be exported from the database and distributed in other means like a Windows file share.

As you can see there are a lot of moving parts to an on-premises Windows AD RMS implementation. Some of the components mentioned above can get even more complicated when the need to collaborate across organizations or support mobile devices arises.

How does AIP compare? For the purposes of this post, I’m going to focus that comparison on Azure RMS which provides the protection capability of AIP. Azure RMS is a software-as-a-service (SaaS) offering from Microsoft replaces (yes Microsoft, let’s be honest here) AD RMS. It is licensed on a per user basis via a stand-alone, Enterprise Mobility + Security P1/P2, or qualifying Office 365 license.

The architecture of Azure RMS is far more simple than what existed for AD RMS. Like most SaaS services, there is no on-premises infrastructure required except in very specific scenarios such as hold-your-own-key (HYOK) or integrating Azure RMS with an on-premises Microsoft Exchange Server, Microsoft SharePoint Server, or servers running Windows Server and File Classification Infrastructure (FCI) using the RMS Connector. This means you won’t be building any servers to hold the RMS role or SQL Servers to host configuration and logging information. The infrastructure is now managed by Microsoft and the RMS service provided over HTTP/HTTPS.

Azure RMS shifts its directory dependency to Azure Active Directory (AAD). It uses the tenant in which the Azure RMS licenses are associated with for authentication and authorization of users. As with any AAD use case, you can still authenticate users against your on-premises Windows Active Directory if you’ve configured your tenant for federated authentication and source data from an on-premises directory using Azure Active Directory Connect.

The cluster key, client, integrated applications, and policies are still in place and work similar to on-premises AD RMS with some changes to both function and names.

Azure Information Protection Tenant Key
The AD RMS Cluster key has been renamed to the Azure Information Protection tenant key. The tenant key serves the same purpose as the AD RMS Cluster and is used to sign the SLC certificate and decrypt information sent to Azure RMS using the public key in the SLC. The differences between the two are really around how the key is generated and stored. By default the tenant key is generated (note that Microsoft generates a 2048-bit key instead of a 1024-bit like was done with new installations of AD RMS) by Microsoft and is associated with your Azure Active Directory tenant. Other options include bring-your-own-key (BYOK), HYOK, and a special instance where you are migrating from AD RMS to Azure RMS. I’ll cover HYOK and the migration instance in future posts.
Azure Information Protection Client
The AD RMS client is replaced with the Azure Information Protection Client. The client performs the same functions as the AD RMS Client but allowing for integration with either on-premises AD RMS or Azure RMS. In addition, the client introduces functionality around Azure Information Protection including adding a classification bar for Microsoft Office, Do Not Forward button to Microsoft Outlook, option in Windows File Explorer to classify and protect files, and PowerShell modules that can be used to bulk classify and protect files. In a future post in this series I’ll be doing a deep dive of the client behavior including analysis of its calls to the Azure Information Protection endpoints via Fiddler.

Unlike the AD RMS client of the past, the Azure Information Protection Client is supported on mobile operating systems such as iOS and Android. Additionally, it supports a wider variety of file types than the AD RMS client supported.
Azure RMS-Integrated Server Applications
Like its predecessor Azure RMS can be consumed by server applications such as Microsoft Exchange Server and Microsoft SharePoint Server with the RMS Connector. There is native integration with Office 365 products including Exchange Online, SharePoint Online, OneDrive for Business, as well as being extensible to third-party applications via Cloud App Security (I’ll demonstrate this after I complete this series). Like all good SaaS, there is also an API that can be leveraged to add the functionality to custom developed applications.
Rights Management Templates
Azure RMS continues to use concepts of rights management templates like its predecessor. Instead of being stored in a SQL database, the templates are stored in Microsoft’s cloud. Templates created in AD RMS can also be imported into Azure RMS for continued use. I’ll demonstrate how that process in a future post in this series. Classification labels in AIP are backed by templates whenever a label applies protection with a pre-defined set of rights. I’ll demonstrate this in a later post.

Far more simple in the SaaS world isn’t it? In addition to simplicity Microsoft delivers more capabilities, tighter integration with its collaboration tools, and expansion of the capabilities to third party applies through a robust API and integration with Cloud App Security.

See you next post!

The Evolution of AD RMS to Azure Information Protection – Part 1

Posted on March 25, 2018 by mattfeltonma

Collaboration. It’s a term I hear at least a few times a day when speaking to my user base. The ability to seamlessly collaborate with team members, across the organization, with trusted partners, and with customers is a must. It’s a driving force between much of the evolution of software-as-a-service collaboration offerings such as Office 365. While the industry is evolving to make collaboration easier than ever, it’s also introducing significant challenges for organizations to protect and control their data.

In a recent post I talked about Microsoft’s entry into the cloud access security broker (CASB) market with Cloud App Security (CAS) and its capability to provide auditing and alerting on activities performed in Amazon Web Services (AWS). Microsoft refers to this collection of features as the Investigate capability of CAS. Before I cover an example of the Control features in action, I want to talk about the product that works behind the scenes to provide CAS with many of the Control features.

That product is Azure Information Protection (AIP) and it provides the capability to classify, label, and protect files and email. The protection piece is provided by another Microsoft product, Azure Active Directory Rights Management Services (Azure RMS). Beyond just encrypting a file or email, Azure RMS can control what a user can do with a file such as preventing a user from printing a document or forwarding an email. The best part? The protection goes with the data even when it leaves your security boundary.

For those of you that have read my blog you can see that I am a huge fanboy of the predecessor to Azure RMS, Active Directory Rights Management Services (AD RMS, previously Rights Management Service or RMS for you super nerds). AD RMS has been a role available in Microsoft Windows Server since Windows Server 2003. It was a product well ahead of its time that unfortunately never really caught on. Given my love for AD RMS, I thought it would be really fun to do a series looking at how AIP has evolved from AD RMS. It’s a dramatic shift from a rather unknown product to a product that provides capabilities that will be as standard and as necessary as Antivirus was to the on-premises world.

I built a pretty robust lab environment (two actually) such that I could demonstrate the different ways the solutions work as well as demonstrate what it looks to migrate from AD RMS to AIP. Given the complexity of the lab environment, I’m going to take this post to cover what I put together.

The layout looks like this:

On the modern end I have an Azure AD tenant with the custom domain assigned of geekintheweeds.com. Attached to the tenant I have some Office 365 E5 and Enterprise Mobility + Security E5 trial licenses For the legacy end I have two separate labs setup in Azure each within its own resource group. Lab number one contains three virtual machines (VMs) that run a series of services included Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), AD RMS, and Microsoft SQL Server Express. Lab number two contains four VMs that run the same set as services as Lab 1 in addition to Active Directory Federation Services (AD FS) and Azure Active Directory Connect (AADC). The virtual network (vnet) within each resource group has been peered and both resource groups contain a virtual gateway which has been configured with a site-to-site virtual private network (VPN) back to my home Hyper-V environment. In the Hyper V environment I have two workstations.

Lab 1 is my “legacy” environment and consists of servers running Windows 2008 R2 and Windows Server 2012 R2 (AD RMS hasn’t changed in any meaningful manner since 2008 R2) and a client running Windows 7 Pro running Office 2013. The DNS namespace for its Active Directory forest is JOG.LOCAL. Lab 2 is my “modern” environment and consists of servers running Windows Server 2016 and a Windows 10 client running Office 2016 . It uses a DNS namespace of GEEKINTHEWEEDS.COM for its Active Directory forest and is synchronized with the Azure AD tenant I mentioned above. AD FS provides SSO to Office 365 for Geek in The Weeds users.

For AD RMS configuration, both environments will initially use Cryptographic Mode 1 and will have a trusted user domain (TUD). SQL Server Express will host the AD RMS database and I will store the cluster key locally within the database. The use of a TUD will make the configuration a bit more interesting for reasons you’ll see in a future post.

Got all that?

In my next post I’ll cover how the architecture changes when migrating from AD RMS to Azure Information Protection.

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life and technology

Tag Archives: data governance

The Evolution of AD RMS to Azure Information Protection – Part 2 – Architecture

The Evolution of AD RMS to Azure Information Protection – Part 1