Export (0) Print
Expand All

AD RMS Client 2.x Deployment Notes

Published: May 25, 2012

Updated: May 1, 2014

Applies To: Windows Server 2008, Windows Server 2012, Windows Storage Server 2008 R2

The Active Directory Rights Management Services (AD RMS) Client 2.x is software designed for your computers to help protect access to and usage of information flowing through applications that use AD RMS. The AD RMS Client 2.x ships as an optional download which can be, with acknowledgment and acceptance of its license agreement, freely distributed with your third-party software to enable client access content that has been rights protected by use and deployment of AD RMS servers in your environment.

This topic includes the following sections:

The AD RMS Client 2.x can be freely redistributed and bundled with other applications and IT solutions. Application developers and solution providers who are interested in redistributing the AD RMS Client 2.x can either:

  1. Embed the AD RMS Client 2.x installer as part of their application installation and run it in silent mode.


    This method of redistribution is recommended. For more information on how to install AD RMS client silently, see the following section.


    -OR-


  2. Make the AD RMS Client 2.x a prerequisite for their application.


    If you take this approach, you might need to provide more details to your users on how to obtain, install and update their computers to use the AD RMS Client 2.x before they can use your application.

The AD RMS Client 2.x is contained in an installer executable file called setup_msipc_<arch>.exe where <arch> is either x86 (for 32-bit client computers) or x64 (for 64-bit client computers). The 64-bit (x64) installer package installs both a 32-bit runtime for compatibility with 32-bit applications running on a 64-bit operating system installation as well as a 64-bit runtime for supporting native 64-bit applications. The 32-bit (x86) installer will not run on a 64-bit Windows installation.

noteNote
To install AD RMS Client 2.x, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group will be able to install software or can delegate the authority to others to do so as needed.

Once downloaded on to your local computer, the AD RMS Client 2.x can be installed using either of the following installation methods

  • Silent mode.  By using the /quiet switch as part of the command-line options you can silently install the AD RMS Client 2.x on client computers. For example, the following example command shows the silent mode installation assuming the platform architecture for the AD RMS Client 2.x installer package is a 64-bit client computer.

    setup_msipc_x64.exe /quiet
    
  • Interactive mode.  Alternately, you can install the AD RMS Client 2.x on client computers using the GUI-based interactive setup provided by the AD RMS Client 2.x Installation Wizard. To launch this type of installation you need only double-click the AD RMS Client 2.x installer package (setup_msipc_<arch>.exe) in the folder to which it was copied or downloaded on your local computer.

The following section contains frequently asked questions about the AD RMS Client 2.x and the answers to them.

The AD RMS Client 2.x is supported for the following operating systems (where the specified service updates as noted or later updates have been applied):

  • Windows Vista® SP2

  • Windows Server® 2008

  • Windows® 7 SP1

  • Windows Server 2008 R2

  • Windows® 8

  • Windows Server® 2012

The AD RMS Client 2.x is supported for the following computing platforms:

  • x86

  • x64

The AD RMS Client 2.x is installed by default in %ProgramFiles%\Active Directory Rights Management Services Client 2.x.

The following are the files that are installed as part of the AD RMS Client 2.x software:

  • Msipc.dll

  • Ipcsecproc.dll

  • Ipcsecproc_ssp.dll

  • MSIPCEvents.man

In addition to the above files, the AD RMS Client 2.x also installs multilingual user interface (MUI) support files in 44 languages. To verify the languages supported, run the AD RMS Client 2.x installation and then review the contents of the multilingual support folders under the default path after installation has been completed.

No. The AD RMS Client 2.x ships as an optional download which can be installed separately on computers running supported versions of the Microsoft Windows operating system.

Once downloaded and installed on a client computer, the AD RMS Client 2.x is regarded as system software in the same way as any system files which have been installed as part of your operating system. Depending on whether you install the AD RMS Client 2.x in silent mode or interactive mode, your Microsoft Update system settings might be modified. If you install using the silent installation option, the AD RMS Client 2.x will inherit whatever your current Microsoft Update settings are already on the system. If you install using the interactive or GUI-based setup, the AD RMS Client 2.x Installation Wizard will prompt you to enable Microsoft Update.

The following section contains settings information about the AD RMS Client 2.x that can be helpful when debugging and troubleshooting issues that arise with deploying it for use to support your application or solution.

AD RMS Client 2.x stores licenses on the local disk and also caches some more information in the Windows Registry. License store and registry locations differ based on whether an application is running in client mode or server mode. The following table indicates the differences in storage locations accordingly for what is stored in each of these modes.

 

Description Client mode paths Server mode paths

License store location

%localappdata%\Microsoft\MSIPC

%allusersprofile%\Microsoft\MSIPC\Server\<SID>\

Template store location

%localappdata%\Microsoft\MSIPC\Templates

%allusersprofile%\Microsoft\MSIPC\Server\Templates\<SID>\

Registry location

HKEY_CURRENT_USER
  \Software
    \Classes
      \Local Settings
        \Software
          \Microsoft
            \MSIPC

HKEY_CURRENT_USER
  \Software
    \Microsoft
      \MSIPC
        \Server
          \<SID>

noteNote
<SID> is the secure identifier (SID) for the account under which the server application is running. For example, if the application is running under the built-in Network Service account, you would then replace <SID> with the value of the well-known SID for that account ("S-1-5-20").

An administrator can use Windows Registry keys to set or modify AD RMS Client 2.x configurations. For example, as an administrator for AD RMS-enabled applications, you might want to update the enterprise service location (that is, override the AD RMS server selected for use when publishing) depending on the client computer's current location within your Active Directory topology, or you might also want to enable AD RMS tracing at the client computer. These types of actions can be managed using AD RMS Client 2.x registry settings provided in the following table.

 

Task Settings

To update the enterprise service location for a client computer

Update the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification
    REG_SZ: default

    Value: <http(or https):// RMS_Cluster_Name/_wmcs/Certification

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterprisePublishing
    REG_SZ: default

    Value: <http(or https):// RMS_Cluster_Name/_wmcs/Licensing

To enable and disable tracing

Update the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC
    REG_DWORD: Trace

    Value: 1 to enable tracing, 0 to disable tracing (default)

To update the frequency (in days) within which template updates occur

The following registry values specify how often templates cache will be updated on the user’s desktop. Use the mode-specific value most appropriate depending on whether your AD RMS Client 2.x application runs in client or server mode.

Client Mode:

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
    REG_DWORD: TemplateUpdateFrequency

    Value: An integer value that specifies the number of days between downloads.

Server Mode:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server\<SID>
    REG_DWORD: TemplateUpdateFrequency

    Value: An integer value that specifies the number of days between downloads.

To have AD RMS Client 2.x to download templates immediately at the next publishing request

During testing and trial, it may be preferable to have AD RMS Client 2.x download templates as soon as possible. The following registry key can be removed in order to have AD RMS Client 2.x download templates immediately at the next publishing request rather than wait for the time specified by the TemplateUpdateFrequency registry setting:

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name>\Template

noteNote
<Server Name> could have both external (corprights.contoso.com) and internal (corprights) URLs and thus two different entries. 

To enable the AD RMS Client 2.x to support federated authentication

If the AD RMS client computer is connecting by using a federated trust, you must configure the federation home realm. The registry key is:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\Federation
    REG_SZ: FederationHomeRealm

    Value: The value of this registry entry is the uniform resource identifier (URI) for the federation service (for example, "https://fs-01.contoso.com").

To configure the AD RMS Client 2.x to support partner federation servers that require forms-based authentication for user input

By default, the AD RMS Client 2.x operates in silent mode and user input is not required. Partner federation servers, however, might be configured to require user input such as by way of forms-based authentication. In this case, the AD RMS Client 2.x must be configured to ignore the silent mode so that the federated authentication form appears in a browser window and the user is promoted for authentication.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\Federation
    REG_DWORD: EnableBrowser

noteNote
If the federation server is configured to use forms-based authentication, this key is required. If the federation server is configured to use Windows integrated authentication, this key is not required.

To configure the AD RMS Client 2.x to block ILS service consumption

By default, the AD RMS Client 2.x enables consuming content protected by the ILS service, however, it can be configured to block it by setting the following registry key. If this registry key is set to disable ILS service, any attempts to open and consume content protected by the ILS service will return the following error:
HRESULT_FROM_WIN32(ERROR_ACCESS_DISABLED_BY_POLICY)

  • HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
    REG_DWORD: DisablePassportCertification

    Value: 1 to block ILS consumption, 0 to allow ILS consumption (default)

The AD RMS Client 2.x will automatically download templates for publishing. If you are in charge of workstations in a managed environment, you can manage distribution of templates for your AD RMS server by placing templates in the following location. In this case, the AD RMS Client 2.x will not download any templates from your AD RMS server and will instead use the templates you have placed in this directory. The AD RMS Client 2.x might continue to download templates from other available AD RMS servers.

Client Mode: %localappdata%\Microsoft\MSIPC\UnmanagedTemplates

Server Mode: %allusersprofile%\Microsoft\MSIPC\Server\UnmanagedTemplates\<SID>

When placing templates in these locations, there is no special naming convention that must be strictly followed except that the template should be issued by the AD RMS server and it should be named using the .xml file extension type. For example, Contoso-Confidential.xml or Contoso-ReadOnly.xml would be valid names.

The AD RMS Client 2.x can be limited to using only specific trusted AD RMS servers by making the following modifications to the Windows Registry on local computers where it is installed.

To enable limiting AD RMS Client 2.x to use only trusted AD RMS servers

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServers\
    REG_DWORD: AllowTrustedServersOnly

    Value: If a non-zero value is specified the AD RMS Client 2.x will trust only the specified servers that are configured in the list (see below) and the Windows Azure Active Directory Rights Management service (if it is available).

To add members to the list of trusted AD RMS servers

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServers\
    REG_SZ: <URL_or_HostName>

    Value: The string values added in this registry key location can be either DNS domain name format (for example, "adrms.contoso.com") or full URLs to trusted AD RMS servers (for example, "https://adrms.contoso.com"). If a specified URL uses SSL (for example, if it starts "https://...") then the AD RMS Client 2.x will require SSL for contacting the specified AD RMS server.

In order for the AD RMS Client 2.x software running on client computers to work, a system of checks are performed when AD RMS is used to protect content as part of service discovery.

When a user of AD RMS attempts to protect content, the AD RMS Client 2.x will attempt to successfully discover and establish a service connection with an AD RM server trying in order through the following discovery checks:

  • If the Windows Registry on the local computer where the AD RMS Client 2.x is running has been configured with AD RMS service discovery settings, those settings will be tried first.

  • If no local Windows Registry settings have been added (the default), the AD RMS Client 2.x will query Active Directory to see if it can obtain URL for an AD RMS server. If a service connection point (SCP) has been registered, that URL will be returned and used by the AD RMS Client 2.x to establish a service connection with an AD RMS server.

Note that when consuming content, some service discovery can occur as well but the protection policy itself (which is attached to the protected content) will indicate the preferred AD RMS serve to try first before attempting to discover other alternate AD RMS servers to verify and enforce rights protection.

To help Active Directory clients discover AD RMS, a service connection point (SCP) can be registered automatically during the installation of the AD RMS root cluster server. If the AD RMS administrator account (that is, the user account that is used to install AD RMS) does not have appropriate permissions to the Active Directory forest, the SCP will not be automatically registered. If an AD RMS SCP already exists in the forest, the AD RMS administrator account must have access to delete the existing SCP and create a new one.

To perform these procedures, you must be using a logon that has the enterprise administrative privileges. Specifically, your logon must be a member of both the local Administrators group on the server you are administering AD RMS from as well as be granted membership in the Enterprise Admins group in Active Directory. Otherwise, any attempt to register the SCP will fail as you will not have the required authority.

  1. Open the Active Directory Management Services console at the AD RMS server.

    If you are using Windows Server® 2008 or Windows Server® 2008 R2, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

    If you are using Windows Server® 2012, in Server Manager, click Tools, and the click Active Directory Rights Management Services.

  2. In the AD RMS console treeview, right-click the AD RMS cluster, and then click Properties.

  3. Click the SCP tab.

  4. Select the Change SCP check box.

  5. Select the Set SCP to current certification cluster option, and then click OK.

As an alternative to using a SCP or where an SCP does not exist, the AD RMS Client 2.x software can issue a successful service discovery call and locate and contact the proper AD RMS server to use by configuring a Windows Registry setting.

  1. Open the Windows Registry editor, Regedit.exe.

    On the client computer, in the Run window, type regedit, and then press ENTER.

    The Registry Editor opens.

  2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC.

    ImportantImportant
    If you are running a 32-bit application on a 64-bit computer, the path will be modified to read as follows:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC

  3. To create the ServiceLocation subkey, right-click MSIPC, point to New, click Key, and then type ServiceLocation.

  4. To create the EnterpriseCertification subkey, right-click ServiceLocation, point to New, click Key, and then type EnterpriseCertification.

  5. To set the enterprise certification URL, double-click the (Default) value, under the EnterpriseCertification subkey, and when the Edit String dialog appears, type for Value data the following "<http(or https)://AD RMS_cluster_name/_wmcs/Certification", and then click OK.

  6. To create the EnterprisePublishing subkey, right-click ServiceLocation, point to New, click Key, and then type EnterprisePublishing.

  7. To set the enterprise publishing URL, double-click (Default) value, under the EnterprisePublishing subkey, and when the Edit String dialog appears, type for Value data the following "<http(or https)://AD RMS_cluster_name/_wmcs/Licensing", and then click OK.

  8. Close the Registry Editor.

If neither an SCP is configured or service discovery is established using the Windows Registry alternate configuration, service discovery calls issued by the AD RMS Client 2.x software will fail because the service connection point URL will be empty.

In some cases, you might need to redirect traffic during service discovery such as when two organizations are merged and the old licensing server in one organization is retired and clients need to be redirected to a new licensing server. To enable licensing redirection, use the following procedure.

  1. Open the Windows Registry editor, Regedit.exe.

    On the client computer, in the Run window, type regedit, and then press ENTER.

    The Registry Editor opens.

  2. In the Registry Editor, navigate to one of the following:

    • For 64-bit version of Office on x64 platform: HKLM\SOFTWARE\Microsoft\MSIPC\Servicelocation

    • For 32-bit version of Office on x64 platform: HKLM\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Servicelocation

  3. Create a LicensingRedirection subkey, by right-clicking Servicelocation, point to New, click Key, and then type LicensingRedirection.

  4. To set the licensing redirection, right-click the LicensingRedirection subkey, select New, and then select String value.

    For Name, specify the previous server licensing URL and for Value specify the new server licensing URL.

    For example, to redirect licensing from a server at Contoso.com to one at Fabrikam.com, you might enter the following values:

    Name: https://contoso.com/_wmcs/licensing

    Value: https://fabrikam.com/_wmcs/licensing

    noteNote
    If the old licensing server has both intranet and extranet URLs specified then a new name/value mapping has to be set for both of these URLs under the LicensingRedirection key.

  5. Repeat the previous step for all servers that need to be redirected.

  6. Close the Registry Editor.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft