Tag Archives: office 365

The Evolution of AD RMS to Azure Information Protection – Part 6 – Deep Dive into Client Bootstrapping

Posted on by
The Evolution of AD RMS to Azure Information Protection – Part 6 – Deep Dive into Client Bootstrapping

Today I’m back with more Azure Information Protection (AIP) goodness.  Over the past five posts I’ve covered the use cases, concepts and migration paths.  Today I’m going to get really nerdy and take a look behind the curtains at how the MSIPC client shipped with Office 2016 interacts with AIP .  I’ll be examining the MSIPC client log and reviewing procmon and Fiddler captures.  If the thought of examining log files and SOAP calls excites you, this is a post for you.  Make sure to take a read through my previous posts to ensure you understand my lab infrastructure and configuration as well as key AIP concepts.

Baselining the Client

Like any good engineer, I wanted to baseline my machine to ensure the MSIPC client was functioning correctly.  Recall that my clients are migrating from an on-premises AD RMS implementation to AIP.  I haven’t completed my removal of AD RMS so the service connection point for on-premises AD RMS is still there and the migration scripts Microsoft provides are still in use.  Let’s take a look at the registry entries that are set via the Migrate-Client and Migrate-User script.  In my last post I covered the purpose of the two scripts.  For the purposes of this post, I’m going to keep it brief and only cover registry entries applicable to the MSIPC client shipped with Office 2016.

  1. Migrate-Client
    • Condition: Runs each computer startup only if it detects it has not run before or the version variable in the script has been changed.
    • Registry Entries Modified:
      • Deletes HKLM\Software\Microsoft\MSIPC\ServiceLocation keys
      • Deletes HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation key
      • Deletes HKLM\Software\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key
      • Deletes HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key
      • Add Default value to HKLM\Software\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification key with data value pointing to AIP endpoint for tenant
      • Add Default value to HKLM\Software\Wow6432Node\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification key with data value pointing to AIP endpoint for tenant
      • Add a value for the FQDN and single label URLs to on-premises AD RMS licensing pipeline to HKLM\Software\Microsoft\MSIPC\ServiceLocation\LicensingRedirection key with data values pointing to AIP endpoints for tenant
      • Add a value for the FQDN and single label URLs to on-premises AD RMS licensing pipeline to HKLM\Software\Wow6432NodeMicrosoft\MSIPC\ServiceLocation\LicensingRedirection key with data values pointing to AIP endpoints for tenant
  2. Migrate-User
    • Condition: Runs each user logon only if it detects it has not run before or the version variable in the script has been changed.
    • Registry Entries Modified:
      • Deletes HKCU\Software\Microsoft\Office\16.0\Common\DRM key
      • Deletes HKCU\Software\Classes\Local Settings\Software\Microsoft\MSIPC key
      • Deletes HKCU\Software\Classes\Microsoft.IPViewerChildMenu\shell key
      • Add DefaultServerUrl value to HKCU\Software\Microsoft\Office\16.0\Common\DRM key and set its data value to the AIP endpoint for the tenant
    • Files Modified:
      • Deletes the contents of the %localappdata%\Microsoft\MSIPC folder

A quick review of my client settings validates that all the necessary registry entries are in place and I have no issues consuming and created protected content.

Resetting the Client

If you have administered AD RMS in the past, you will be very familiar with how to re-bootstrap an RMS client.  Microsoft has made that entire process easier by incorporating a “reset” function into the AIP client.  The function can be accessed in Microsoft Office by hitting the drop down arrow for the AIP icon on the toolbar and selecting the Help and Feedback option.

6AIP1.png

After clicking the Help and Feedback option, a new window pops up where you can select the Reset Settings option to which performs a series of changes to the registry, deletions of RMS licenses, and AIP metadata.  Lastly, I log out of the machine.

6AIP2.png

 

Bootstrapping the Client with Azure Information Protection

After logging back in I start up Fiddler, open Microsoft Word, and attempt to open a file that was protected with my AD RMS cluster. The file opens successfully.

One thing to note is if you’re using Windows 10 and Microsoft Edge like I was, you’ll need to take the extra steps outlined here to successfully capture due to the AppContainer Isolation feature added back in Windows 8. If you do not take those extra steps, you’ll get really odd behavior. Microsoft Edge will fail any calls to intranet endpoints (such as AD FS in my case) by saying it can’t contact the proxy. Trying with Internet Explorer will simply cause Fiddler to fail to make the calls and to throw a DNS error. Suffice to say, I spent about 20 minutes troubleshooting the issue before I remembered Fiddler’s dialog box that pops up every new install about AppContainer and Microsoft Edge.

The first thing we’re going to look at is the MSIPC log files which keep track of the client activity. I have to give an applause to whichever engineer over at Microsoft thought it would be helpful to include such a detailed log. If you’ve administered on-premises AD RMS in the past on previous versions of Microsoft Office, you’ll know the joys (pain?) of client side tracing with DebugView.

When we pop open the log we get some great detail as to the client behavior. We can see the client read a number of registry entries. The first thing we see is the client discover that is not initialized so it calls an API to bootstrap the user. Notice in the below that it has identified my user and it’s mentioning OAuth as a method for authentication to the endpoint.

6AIP3.png

Following this we have a few more registry queries to discover the version of the operating system. We then have our first HTTP session opened by the client. I’m pretty sure this session is the initial user authentication to Azure AD in order to obtain a bearer access token for the user to call further APIs

6AIP4.png

Bouncing over to Fiddler we can check out the authentication process. We can see the machine reach out to Azure AD (login.windows.net), perform home realm discovery which Azure AD determines that geekintheweeds.com is configured for federated authentication. The client makes the connection to the AD FS server where the user is seamlessly authenticated via Kerberos. The windowstransport endpoint is called which supports the WS-Trust 1.3 active profile.  In an WS-Trust active flow, the client initiates the request (hence it’s active) vs the passive flow where the service provider initiates the flow.  This is how Office applications support modern (aka federated) authentication.

6AIP5

After the assertion is obtained, it’s posted to the /common/oauth2/token endpoint at login.windows.net.  The assertion is posted within a request for an access token, refresh token, and id token request using the saml1_1-bearer token grant type for the Azure RMS endpoint.

6AIP6.png

The machine is returned an access token, refresh token, and id token.  We can see the token returned is a bearer token allowing client to impersonate my user moving forward.

6AIP7.png

Dumping the access token into the Fiddler TextWizard and decoding the Base64 gives us the details of the token.  Within the token we can see an arm (authenticated method reference) of wia indicating the user authenticated using Windows authentication.  A variety of information about the user is included in the token including UPN, first name, and last name.

6AIP8.png

I’m fairly certain the tokens are cached to a flat file based upon some of the data I did via procmon while the bootstrap process initiated.  You can see the calls to create the file and write to it below.

6AIP9

After the tokens are obtained and cached we see from the log file that the MSIPC client then discovers it doesn’t have machine certificates.  It goes through the process of creating the machine certificates.

6AIP10.png

We now see the MISPC client attempts to query for the SRV record Microsoft introduced with Office 2016 to help with migrations from AD RMS.  The client then attempts discovery of service by querying the RMS-specific registry keys in the HKLM hive and comes across the information we hardcoded into the machine via the migration scripts.  It uses this information to make a request to the non-authenticated endpoint of https://<tenant_specific>/_wmcs/certification/server.asmx.

6AIP11

Bouncing back to Fiddler and continuing the conversation we can see a few different connections are created.  We see one to api.informationprotection.azure.com, another to mobile.pipe.aria.microsoft.com, and yet another to the AIP endpoint for my tenant.

6AIP12.png

I expected the conversation between api.informationprotection.azure.com and the AIP endpoint for my tenant.  The connection to mobile.pipe.aria.microsoft.com interested me.  I’m not sure if it was randomly captured or if it was part of the consumption of protected content.  I found a few Reddit posts where people were theorizing it has something to do with how Microsoft consumes telemetry from Microsoft Office.  As you could probably guess, this piqued my interest to know what exactly Microsoft was collecting.

We can see from the Fiddler captures that an application on the client machine is posting data to https://mobile.pipe.aria.microsoft.com/Collector/3.0/.  Examination of the request header shows the user agent as AriaSDK Client and the sdk-version of ACT-Windows Desktop.  This looks to be the method in which the telemetry agent for Office collects its information.

6AIP13.png

If we decode the data within Fiddler and dump both sets of data to Notepad we get some insight into what’s being pulled. Most of the data is pretty generic in that there is information about the version of Word I’m using, the operating system version, information that my machine is a virtual machine, and some activity IDs which must relate to something MS holds on their end. The only data point I found interesting was that my tenant ID is included in it. Given tenant id isn’t exactly a secret, it’s still interesting it’s being collected. It must be fascinating to see this telemetry at scale. Interesting stuff either way.

6AIP14.png

Continuing the conversation, let’s examine the chatter with my tenant’s AIP endpoint since the discovery was requested by the MSIPC client.  We see a SOAP request of GetServerInfo posted to https://<tenant_specific>/_wmcs/certification/server.asmx.  The response we receive from the endpoint has all the information our RMS client will need to process the request.  My deep dive into AD RMS was before I got my feet with Fiddler so I’ve never examined the conversations with the SOAP endpoints within AD RMS.  Future blog post maybe?  Either way, I’ve highlighted the interesting informational points below.  We can see that the service is identifying itself as RMS Online, has a set of features that cater to modern authentication, runs in Cryptomode 2, and supports a variety of authentication methods.  I’m unfamiliar with the authentication types beyond X509 and OAuth 2.  Maybe carry overs from on-prem?  Something to explore in the future.  The data boxed in red are all the key endpoints the RMS client needs to know to interact with the service moving forward.  Take note the request at this endpoint doesn’t require any authentication.  That comes in later requests.

6AIP15.png

After the response is received the MSIPC writes a whole bunch of registry entries to the HKCU hive for the user to cache all the AIP endpoint information it discovered.  It then performs a service discovery against the authenticated endpoint using its bearer token it cached to the tokencache file.

6AIP16.png

Once the information is written to the registry, the client initiates a method called GetCertAndLicURLsWithNewSD.  It uses the information it discovered previously to query the protected endpoint https://<tenant_specific>/_wmcs/oauth2/servicediscovery/servicediscovery.asmx.  Initially it receives a 401 unauthorized back with instructions to authenticate uses a bearer token.

6AIP17.png

The client tries again this time providing the bearer token it obtained earlier and placed in the tokencache file.  The SOAP action of ServiceDiscoveryForUser is performed and the client requests the specific endpoints for certification, licensing, and the new tracking portal feature of AIP.

6AIP18.png

The SOAP response contains the relevant service endpoints and user for which the query applied to.

6AIP19.png

The MSIPC client then makes a call to /_wmcs/oauth2/certification/server.asmx with a SOAP request of GetLicensorCertificate.  I won’t break that one down response but it returns the SLC certificate chain in XrML format.  For my tenant this included both the new SLC I generated when I migrated to AIP as well as the SLC from my on-premises AD RMS cluster that I uploaded.

6AIP20.png

The MISPC log now shows a method called GetNewRACandCLC being called which is used to obtain a RAC and CLC. This is done by making a call to the certification pipeline.

6AIP21.png

The call to /_wmcs/oauth2/certification/certification.asmx does exactly as you would expect and calls the SOAP request of Certify. This included my user’s RAC, and both SLCs and certificates in that chain. The one interesting piece in the response was a Quota tag as seen below. I received back five certificates, so maybe there is a maximum that can be returned? If you have more than 4 on-premises AD RMS clusters you’re consolidating to AIP, you might be in trouble. 🙂

6AIP22.png

The MISPC log captures the successful certification and logs information about the RAC.

6AIP23.png

Next up the client attempts to obtain a CLC by calling continuing with the GetNewRACandCLC method. It first calls the /_wmcs/licensing/server.asmx pipeline and makes a GetServerInfo SOAP request which returns the same information we saw in the last request to server.asmx. This request isn’t authenticated and the information returned is written to the HKCU hive for the user.

6AIP24.png

The service successfully returns the users CLC.  The last step in the process is the MSIPC service requests the RMS templates associated with the user.  You can see the template that is associated custom AIP classification label I created.

6AIP25.png

Last but not least, the certificates are written to the %LOCALAPPDATA%\Microsoft\MSIPC directory.

6AIP26.png

Conclusion

Very cool stuff right? I find it interesting in that the MSIPC client performs pretty much the same way it performs with on-premises exempting some of the additional capabilities introduced such as the search for the SRV DNS records and the ability to leverage modern authentication via the bearer token. The improved log is a welcome addition and again, stellar job to whatever engineer at Microsoft thought it would be helpful to include all the detail that is included in that log.

If you’ve used AD RMS or plan to use AIP and haven’t peeked behind the curtains I highly recommend it. Seeing how all the pieces fit together and how a relatively simple web service and a creative use of certificates can provide such a robust and powerful security capability will make your appreciate the service AD RMS tried to be and how far ahead of its time it was.

I know I didn’t cover the calls to the AIP-classification specific web calls, but I’ll explore that in my next entry.  Hopefully you enjoyed nerding out on this post as much as I did. Have a great week and see you next post!

The Evolution of AD RMS to Azure Information Protection – Part 4 – Preparation and Server-Side Migration

Posted on by
The Evolution of AD RMS to Azure Information Protection – Part 4 – Preparation and Server-Side Migration

The time has finally come to get our hands dirty.  Welcome to my fourth post on the evolution of Active Directory Rights Management Service (AD RMS) to Azure Information Protection (AIP).  So far in this series I’ve done an overview of the service, a comparison of the architectures, and covered the key planning decisions that need to place when migrating from AD RMS to AIP.  In this post I’ll be performing the preparation and server-side migration steps for the migration from AD RMS to AIP.

Microsoft has done a wonderful job documenting the steps for the migration from AD RMS to AIP within the migration guide.  I’ll be referencing back to the guide as needed throughout the post.  Take a look at my first post for a refresher of my lab setup.  Take note I’ll be migrating LAB2 and will be leaving LAB1 on AD RMS.  Here are some key things to remember about the lab:

  • There is a forest trust between the JOG.LOCAL and GEEKINTHEWEEDS.COM Active Directory Forests
  • AD RMS Trusted User Domains (TUDs) have been configured on both JOG.LOCAL and GEEKINTHEWEEDS.COM

I’ve created the following users, groups, and AD RMS templates (I’ve been on an 80s/90s movies fix, so enjoy the names).

  • GEEKINTHEWEEDS.COM CONFIGURATION
    • (User) Jason Voorhies
      • User Principal Name Attribute: jason.voorhies@geekintheweeds.com
      • Mail Attribute: jason.voorhies@geekintheweeds.com
      • Group Memberships: Domain Users, GIW Employees, Information Technology
    • (User) Theodore Logan
      • User Principal Name Attribute: theodore.logan@geekintheweeds.com
      • Mail Attribute: theodore.logan@geekintheweeds.com
      • Group Memberships: Domain Users, GIW Employees, Information Technology
    • (User) Ash Williams
      • User Principal Name Attribute: jason.voorhies@geekintheweeds.com
      • Mail Attribute: ash.williams@geekintheweeds.com
      • Group Memberships: Domain Users, GIW Employees, Accounting
    • (User) Michael Myers
      • User Principal Name Attribute: michael.myers@geekintheweeds.com
      • Mail Attribute: michael.myers@geekintheweeds.com
      • Group Memberships: Domain Users, GIW Employees, Accounting
    • (Group) Accounting
      • Mail Attribute: giwaccounting@geekintheweeds.com
      • Group Type: Universal Distribution
    • (Group) GIW Employees
      • Mail Attribute: giwemployees@geekintheweeds.com
      • Group Type: Universal Distribution
    • (Group) Information Technology
      • Mail Attribute: giwit@geekintheweeds.com
      • Group Type: Universal Distribution
    • (Group) GIW AIP Users
      • Group Type: Global Security
    • (AD RMS Template) GIW Accounting
      • Users: giwaccounting@geekintheweeds.com
      • Rights: Full Control
    • (AD RMS Template) GIW Employees
      • Users: giwemployees@geekintheweeds.com
      • Rights: View, View Rights
    • (AD RMS Template) GIW IT
      • Users: giwit@geekintheweeds.com
      • Rights: Full Control
  • JOG.LOCAL CONFIGURATION

    • (User) Luke Skywalker
      • User Principal Name Attribute: luke.skywalker@jog.local
      • Mail Attribute: luke.skywalker@jog.local
      • Group Memberships: Domain Users, jogemployees
    • (User) Han Solo
      • User Principal Name Attribute: han.solo@jog.local
      • Mail Attribute: han.solo@jog.local
      • Group Memberships: Domain Users, jogemployees
    • (Group) jogemployees
      • Mail Attribute: jogemployees@jog.local
      • Group Type: Universal Distribution

After my lab was built I performed the following tests:

  • Protected Microsoft Word document named GIW_LS_ADRMS with GEEKINTHEWEEDS.COM AD RMS Cluster and successfully opened with Luke Skywalker user from JOG.LOCAL client machine.
  • Protected Microsoft Word document named GIW_GIWALL_ADRMS with GEEKINTHEWEEDS.COM AD RMS Cluster and GIW Employees template and unsuccessfully opened with Luke Skywalker user from JOG.LOCAL client machine.
  • Protected Microsoft Word document named GIW_JV_ADRMS with GEEKINTHEWEEDS.COM AD RMS Cluster using Theodore Logan user and opened successfully with Jason Voorhies user from GEEKINTHEWEEDS.COM client machine.
  • Protected Microsoft Word document named JOG_MM_ADRMS with JOG.LOCAL AD RMS Cluster using Luke Skywalker user and opened successfully with Michael Myers user from GEEKINTHEWEEDS.COM client machine.
    Protected Microsoft Word document named GIW_ACCT_ADRMS with GEEKINTHEWEEDS.COM AD RMS Cluster and GIW Accounting template and was unsuccessful in opening with Jason Voorhies user from GEEKINTHEWEEDS.COM client machine.

These tests verified both AD RMS clusters were working successfully and the TUD was functioning as expected.  The lab is up and running, so now it’s time to migrate to AIP!

Our first step is to download the AADRM PowerShell module from Microsoft.  I went the easy route and used the install-module cmdlet.

AIP4PIC1.png

Back in March Microsoft announced that AIP would be enabled by default on any eligible tenants with O365 E3 or above that were added after February.  Microsoft’s migration guide specifically instructs you to ensure protection capabilities are disabled if you’re planning a migration from AD RMS to AIP.  This means we need to verify that AIP is disabled.  To do that, we’re going to use the newly downloaded AADRM module to verify the status.

AIP4PIC2.png

As expected, the service is enabled.  We’ll want to disable the service before beginning the migration process by running the Disable-Aadrm cmdlet.  After running the command, we see that the functional state is now reporting as disabled.

AIP4PIC3.png

While we have the configuration data up we’re going to grab the value (minus _wmcs/licensing) in the  LicensingIntranetDistributionPointUrl property.  We’ll be using this later on in the migration process.

In most enterprise scenarios you’d want to perform a staged migration process of your users from AD RMS to AIP.  Microsoft provides for this with the concept of onboarding controls.  Onboarding controls allow you to manage who has the ability to protect content using AIP even when the service has been enabled at the tenant level.  Your common use case would be creating an Azure AD-managed or Windows AD-synced group which is used as your control group.  Users who are members of the group and are licensed appropriately would be able to protect content using AIP.  Other users within the tenant could consume the content but not protect it.

In my lab I’ll be using the GIW AIP Users group that is being synchronized to Azure AD from my Windows AD as the control group.  To use the group I’ll need to get its ObjectID which is the object’s unique identifier in Azure AD.  For that I used the Get-AzureADGroup cmdlet within Azure AD PowerShell module.

AIP4PIC6

Microsoft’s migration guide next suggests come configuration modifications to Windows computers within the forest.  I’m going to hold off on this for now and instead begin the server-side migration steps.

First up we’re going to export the trusted publisher domains (TPDs) from the AD RMS cluster.  We do this to ensure that users that have migrated over to AIP are still able to open content that was previously protected by the AD RMS cluster.  The TPD includes the Server Licensor Certificate (SLC) keys so when exporting them we protect them with a password and create an XML file that includes the SLC keys and any custom AD RMS rights policy templates.

AIP4PIC7.png

Next we import the exported TPD to AIP using the relevant process based upon how we chose to protect the cluster keys.  For this lab I used a software key (stored in the AD RMS database) so I’ll be using the software key to software key migration path.  Thankfully this path is quite simple and consists of running another cmdlet from the AADRM PowerShell module.  In the first command we store the password used to protect the TPD file as a secure string and use the Import-AadrmTpd cmdlet to pull it into AIP.  Notice the resulting data provides the cluster friendly name, indicates the Cryptographic Mode was set to 1, the key was a Microsoft-managed (aka software key) and there were three rights policy templates attached to the TPD.

Keep in mind that if you have multiple TPDs for some reason (let’s say you migrated from Cryptographic Mode 1 to Cryptographic Mode 2) you’ll need to upload each TPD separately and set the active TPD using the Set-AadrmKeyProperties cmdlet.

AIP4PIC8.png

Running a Get-AadrmTemplate shows the default templates Microsoft provides you with as well as the three templates I had configured in AD RMS.

AIP4PIC9

The last step of the server side of the process is to activate AIP.  For that we use the Enable-Aadrm cmdlet from the AADRM PowerShell module.

AIP4PIC10

At this point the server-side configuration steps have been completed and AIP is ready to go.  However, we still have some very important client-side configuration steps to perform.  We’ll cover those steps in my post.

Have a great week!

The Evolution of AD RMS to Azure Information Protection – Part 3 – Planning The Migration

Posted on by
The Evolution of AD RMS to Azure Information Protection – Part 3 – Planning The Migration

Welcome to the third post in my series exploring the evolution of Active Directory Rights Management Service (AD RMS) into Azure Information Protection (AIP).  My first post provided an overview of the service and some of its usages and my second post covered how the architecture of the solution has changed as the service has shifted from traditional on-premises infrastructure to  a software-as-a-service (SaaS) offering).  Now that we understand the purpose of the service and its architecture, let’s explore what a migration will look like.

For the post I’ll be using the labs I discussed in my first post.  Specifically, I’ll be migrating lab 2 (the Windows Server 2016 lab) from using AD RMS to Azure Information Protection.  I’ve added an additional Windows 10 Professional machine to that lab for reasons I’ll discuss later in the post.  The two Windows 10 machines are named CLIENT1 and CLIENT2.  Microsoft has assembled some guidance which I’ll be referencing throughout this post and using as the map for the migration.

With the introduction done, let’s dig in.

Before we do any button pushing, there’s some planning necessary to ensure a successful migration.  The key areas of consideration are:

  • Impact to collaboration with trusted organizations
  • Tenant key storage
  • AIP Client Rollout
  • Integrated Rights Management (IRM) functionality of Microsoft Exchange Server or Microsoft SharePoint Server

Impact to collaboration with trusted organizations

Possibly most impactful to an organization is the planning that goes into how the migration will affect collaboration with partner organizations.  Back in the olden days of on-premises AD RMS, organizations would leverage the protection and control that came with AD RMS to collaborate with trusted partners.  This was accomplished through trusted user domains (TUDs) or federated trusts.  With AIP the concept of TUDs and additional infrastructure to support federated trusts is eliminated and instead replaced with the federation capabilities provided natively via Azure Active Directory.

Yes folks, this means that if you want the same level of collaboration you had with AD RMS using TUDs, both organizations will need to need to have an Azure Active Directory (Azure AD) tenant with a license that supports the Azure Rights Management Service (Azure RMS).    In a future post in the series, we’ll check out what happens when the partner organization doesn’t migrate to Azure AD and attempts to consume the protected content.

Tenant Key Storage

The tenant key can be thought to as the key to the kingdom in the AIP world.  For those of you familiar with AD RMS, the tenant key serves the same function as the cluster key. In the on-premises world of AD RMS the cluster key was either stored within the AD RMS database or on a hardware security module (HSM).

When performing a migration to the world of AIP, storage of the tenant key has a few options.  If you’re using a cluster key that was stored within the AD RMS database you can migrate the key using some simple PowerShell commands.  If you’re opted to use HSM storage for your cluster key, you’re going to be looking at the bring your own key (BYOK) scenario.  Finally, if you have a hard requirement to keep the key on premises you can explore the hold your own key option (HYOK).

For this series I’ve configured my labs with a cluster key that is stored within the AD RMS database (or software key as MS is referring to it).  The AD RMS cluster in my environment runs in cryptographic mode 1, so per MS’s recommendation I won’t be migrating to cryptographic mode 2 until after I migrate to AIP.

AIP Client Rollout

Using AIP requires the AIP Client be installed.  The AD RMS Client that comes with pre-packaged with Microsoft Office can protect but can’t take advantage of the labels and classification features of AIP.   You’ll need to consider this during your migration process and ensure any middleware that uses the AD RMS Client is compatible with the AIP Client.  The AIP Client is compatible with on-premises AD RMS so you don’t need to be concerned with backwards compatibility.

As I mentioned above, I have two Windows 10 clients named CLIENT1 and CLIENT2.  In the next post I’ll be migrating CLIENT2 to the AIP Client and keeping CLIENT1 on the AD RMS Client.  I’ll capture and break down the calls with Fiddler so we can see what the differences are.

Integrated Rights Management (IRM) functionality of Microsoft Exchange Server or Microsoft SharePoint Server

If you want to migrate to AIP but still have a ways to go before you can migrate Exchange and SharePoint to the SaaS counterparts, have no fear.  You can leverage the protection capabilities of AIP (aka Azure RMS component) by using the Microsoft Rights Management Service Connector.  The connector requires some light weight infrastructure to handle the communication between Exchange/SharePoint and AIP.

I probably won’t be demoing the RMS Connector in this series, so take a read through the documentation if you’re curious.

We’ve covered an overview of AIP, the different architectures of AD RMS and AIP, and now have covered key planning decisions for a migration.  In the next post in my series we’ll start getting our hands dirty by initiating the migration from AD RMS to AIP.  Once the migration is complete, I’ll be diving deep into the weeds and examining the behavior of the AD RMS and AIP clients via Fiddler captures and AD RMS client debugging (assuming it still works with the AIP client).

See you next post!

The Evolution of AD RMS to Azure Information Protection – Part 2 – Architecture

Posted on by
The Evolution of AD RMS to Azure Information Protection – Part 2 – Architecture

Hi there.  Welcome to the second post in my series exploring the evolution of Active Directory Rights Management Service (AD RMS) into Azure Information Protection (AIP).  In the first post of the series I gave an brief overview of the important role AIP plays in Microsoft’s Cloud App Security (CAS) offering.  I also covered the details of the lab I will be using for this series.  Take a few minutes to read the post to familiarize yourself with the lab details because it’ll be helpful as we progress through the series.

I went back and forth as to what topic I wanted to cover for the second post and decided it would be useful to start at the high level comparing the components in a typical Windows AD RMS implementation to those used when consuming AIP.  I’m going to keep the explanation of each component brief to avoid re-creating existing documentation, but I will provide links to official Microsoft document for each component I mention.  With that intro, let’s begin.

The infrastructure required in an AD RMS implementation is pretty minimal but the complexity is in how all of the components work together to provide the solution.  At a very high level it is similar to any other web-based application consisting of a web server, application code, and a data backend.   The web-based application integrated with a directory to authenticate users and get information about the user that is used in authorization decisions.  In the AD RMS world the components map to the following products:

  • Web Server – Machine running Windows Server with Microsoft Internet Information Services and Microsoft Message Queuing Service
  • Application Code – Code installed onto the machine after adding the AD RMS role to a machine running Windows Server
  • Data Backend – Machine running Windows Server with Microsoft SQL Server running on it hosting configuration and logging database (optionally Windows Internal Database (WID) for test environments)
  • Directory – Windows Active Directory provides authentication, user information used for authorization, and stores additional AD RMS configuration data (Service Connection Point)

Nodes providing the AD RMS service are organized into a logical container called an AD RMS Cluster. Like most web applications AD RMS can be scaled out by adding more nodes to the cluster to improve performance and provide high availability (HA).  If using MS SQL for the data backend, traditional methods of HA can be used such as SQL clustering, database mirroring, and log shipping.  You can plop your favorite load balancer in front of the solution to help distribute the application load and keep track of the health of the nodes providing the service.

Beyond the standard web-based application components we have some that are specific to AD RMS.  Let’s take a deeper look at them.

  • AD RMS Cluster Key

    The AD RMS cluster key is the most critical part of an AD RMS implementation, the “key to the kingdom”, as it is used to sign the Server Licensor Certificate (SLC) which contains the corresponding public key.  The SLC is used to sign certificates created by AD RMS that allow for consumption of AD RMS-protected content as well as being used by AD RMS clients to encrypt the content key when a document is newly protected by AD RMS.

    The AD RMS cluster key is shared by all nodes that are members of the AD RMS cluster.  It can be stored within the MS SQL database/WID or on a supported hardware security module for improved security.

  • AD RMS Client / AD RMS-Integrated Server Applications

    Applications are great, but you need a method to consume them.  Once content is protected by AD RMS it can only be consumed by an application capable of communicating with AD RMS.  In most cases this is accomplished by using an application that has been written to use the AD RMS Client.  The AD RMS Client comes pre-installed on Windows Vista and up desktop operating systems and Windows Server 2008 and up server operating systems.

    The AD RMS client performs tasks such as bootstrapping (sometimes referred to as activation).  I won’t go into the details because I wouldn’t do near as well job as Dan does in the bootstrapping link.  In short it generates some keys and obtains some certificates from the AD RMS service that facilitate protecting and consuming content.

    AD RMS-integrated server applications such as Microsoft SharePoint Server and Microsoft Exchange Server provide server-level services that leverage the capabilities provided by AD RMS to protect data such as files stored in a SharePoint library or emails sent through Microsoft Exchange.

  • AD RMS Policy Templates

    While not a component of the system architecture, AD RMS Policy Templates are an AD RMS concept that deserves mention in this discussion.  The templates can be created by an organization to provide a standard set of use rights applicable to a type of data.  Common use cases are having multiple templates created for different data types.  For example, you may want one data type that allows trusted partners to view the document but not print or forward it while another template may restrict view rights to the accounting department.

    In AD RMS the policies are stored in the AD RMS database but are accessible via a call to the web service.  Optionally they can be exported from the database and distributed in other means like a Windows file share.

As you can see there are a lot of moving parts to an on-premises Windows AD RMS implementation.  Some of the components mentioned above can get even more complicated when the need to collaborate across organizations or support mobile devices arises.

How does AIP compare?  For the purposes of this post, I’m going to focus that comparison on Azure RMS which provides the protection capability of AIP.  Azure RMS is a software-as-a-service (SaaS) offering from Microsoft replaces (yes Microsoft, let’s be honest here) AD RMS.  It is licensed on a per user basis via a stand-alone, Enterprise Mobility + Security P1/P2, or qualifying Office 365 license.

The architecture of Azure RMS is far more simple than what existed for AD RMS.  Like most SaaS services, there is no on-premises infrastructure required except in very specific scenarios such as hold-your-own-key (HYOK) or integrating Azure RMS with an on-premises Microsoft Exchange Server, Microsoft SharePoint Server, or servers running Windows Server and File Classification Infrastructure (FCI) using the RMS Connector.   This means you won’t be building any servers to hold the RMS role or SQL Servers to host configuration and logging information.  The infrastructure is now managed by Microsoft and the RMS service provided over HTTP/HTTPS.

Azure RMS shifts its directory dependency to Azure Active Directory (AAD).  It uses the tenant in which the Azure RMS licenses are associated with for authentication and authorization of users.  As with any AAD use case, you can still authenticate users against your on-premises Windows Active Directory if you’ve configured your tenant for federated authentication and source data from an on-premises directory using Azure Active Directory Connect.

The cluster key, client, integrated applications, and policies are still in place and work similar to on-premises AD RMS with some changes to both function and names.

  • Azure Information Protection Tenant Key

    The AD RMS Cluster key has been renamed to the Azure Information Protection tenant key.  The tenant key serves the same purpose as the AD RMS Cluster and is used to sign the SLC certificate and decrypt information sent to Azure RMS using the public key in the SLC.  The differences between the two are really around how the key is generated and stored.  By default the tenant key is generated (note that Microsoft generates a 2048-bit key instead of a 1024-bit like was done with new installations of AD RMS) by Microsoft and is associated with your Azure Active Directory tenant.  Other options include bring-your-own-key (BYOK), HYOK, and a special instance where you are migrating from AD RMS to Azure RMS.  I’ll cover HYOK and the migration instance in future posts.

  • Azure Information Protection Client

    The AD RMS client is replaced with the Azure Information Protection Client.  The client performs the same functions as the AD RMS Client but allowing for integration with either on-premises AD RMS or Azure RMS.  In addition, the client introduces functionality around Azure Information Protection including adding a classification bar for Microsoft Office, Do Not Forward button to Microsoft Outlook, option in Windows File Explorer to classify and protect files, and PowerShell modules that can be used to bulk classify and protect files.  In a future post in this series I’ll be doing a deep dive of the client behavior including analysis of its calls to the Azure Information Protection endpoints via Fiddler.

    Unlike the AD RMS client of the past, the Azure Information Protection Client is supported on mobile operating systems such as iOS and Android.  Additionally, it supports a wider variety of file types than the AD RMS client supported.

  • Azure RMS-Integrated Server Applications

    Like its predecessor Azure RMS can be consumed by server applications such as Microsoft Exchange Server and Microsoft SharePoint Server with the RMS Connector.  There is native integration with Office 365 products including Exchange Online, SharePoint Online, OneDrive for Business, as well as being extensible to third-party applications via Cloud App Security (I’ll demonstrate this after I complete this series).  Like all good SaaS, there is also an API that can be leveraged to add the functionality to custom developed applications.

  • Rights Management Templates

    Azure RMS continues to use concepts of rights management templates like its predecessor.  Instead of being stored in a SQL database, the templates are stored in Microsoft’s cloud.  Templates created in AD RMS can also be imported into Azure RMS for continued use.  I’ll demonstrate how that process in a future post in this series.  Classification labels in AIP are backed by templates whenever a label applies protection with a pre-defined set of rights.  I’ll demonstrate this in a later post.

Far more simple in the SaaS world isn’t it?  In addition to simplicity Microsoft delivers more capabilities, tighter integration with its collaboration tools, and expansion of the capabilities to third party applies through a robust API and integration with Cloud App Security.

See you next post!