RMS FAQ: Administration

Updated: November 21, 2006

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS Administration FAQ

What is the best way to revoke the permissions on documents for a user who leaves an organization?

In general, it is best to have documents licensed to user groups defined in Active Directory rather than to individual user accounts. This is recommended so that when a user leaves an organization, you can remove the user from the Active Directory group and the user cannot read documents sent to that group. However, the user can still read documents that have existing use licenses unless the documents had the rights set to require the user to obtain a use license every time the document is opened. If that right is not defined, the only way to prevent the user from opening documents that have existing use licenses is to erase the user’s license store on the user’s computer.

When establishing trusts between two organizations to exchange RMS content, does the XrML license certificate that is passed to the trusting company need any special handling?

When establishing a trusted user domain or a trusted publishing domain, you are choosing to trust the partner organization to participate within your rights management system. As such, you are taking a calculated risk that trusting the other organization does not compromise your information. As a best practice, request that the partner organization send its RMS server licensor certificate by using an authenticated channel, such as S/MIME e-mail, to help mitigate the risk that the server licensor certificate was tampered with before you import it onto your RMS server.

How does RMS work with roaming user profiles?

Rights account certificates (RACs) that are used to identify users are computer specific. When using roaming profiles, the first use of RMS on a given computer will create a new RAC for the user on that computer.

Why would an organization want to decommission RMS?

Decommissioning RMS removes the RMS server from the infrastructure and provides a way for users to save rights-protected content without protection. There are three main reasons why organizations choose to do this:

  • Simplifying architectural design, such as consolidating servers into a cluster.

  • Migrating a proof-of-concept pilot environment to a production environment.

  • Merging RMS servers such as after an acquisition.

What is the overall decommissioning process?

The decommissioning process is started from the RMS root cluster by enabling the decommissioning service. When the decommissioning service is enabled, all of the other services, (for example licensing and certification) are disabled. Next, each user’s RMS-enabled application needs to be directed to connect to the decommissioning service when an RMS feature is used. Microsoft Office 2003 is an example of an RMS-enabled application. In Office 2003, the RMS client is directed to RMS services by using registry keys. One specific registry key identifies the decommissioning service. Once this key is configured to direct the client to the decommissioning service, the RMS cluster will grant use licenses that provide full permissions (read, write, copy, print, edit, and so on) to the user for that content, regardless of whether the user originally was granted those permissions. Users should then be directed to remove all rights protection from any documents they want to retain after the RMS cluster is completely decommissioned. Once that has been done, the RMS cluster can be taken completely out of service..

As a best practice, back up the RMS cluster’s configuration database, in case you need to recover a rights-protected document after the cluster has been retired. Without the private key of the RMS root cluster, only the document’s author will be able to open the rights-protected content after the server is removed.

Can you decommission an RMS server so that only some users are able to recover documents?

You can apply an access control list (ACL) to the decommissioning Web service (decommission.asmx) to control access to the decommissioning service so that only certain users can obtain the decryption key for rights-protected content.

What does Server Cannot Access Application Directory mean?

This error sometimes appears when you first attempt to open the RMS administration Web site after installing RMS. After you receive this error, you cannot configure or administer RMS.

This error commonly occurs when Internet Information Services (IIS) is running in IIS 5.0 isolation mode. Use the following procedure to disable this setting on your server and restart IIS to resolve this issue.

To disable IIS 5.0 isolation mode

  1. Log on to the RMS server as a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  3. In IIS Manager, expand the local computer, right-click Web Sites, and then click Properties.

  4. Click the Service tab, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.

  5. This change requires that the IIS service be restarted. When you are prompted to restart the IIS service, click Yes.

Can I use tracing with the RMS server?

Because Rights Management Services was created by using the Microsoft® .NET Framework, you can enable tracing to help track system events and troubleshoot issues.

You can implement tracing if you modify either the Web.config or Machine.config file. When you implement tracing in the Machine.config file, trace is run against every software component that is on the computer; however, if you implement tracing in the Web.config file, only events that occur in the Web services are traced.

To enable tracing

  1. Open either the Machine.config file or the Web.config file, and then add the following lines under the <system.diagnostics> section that is in the file:

    <add name="Microsoft Windows Rights Management Services-Global" value="4" />
    <add name="Microsoft Windows Rights Management Services-TimeStamps" value="1" /> 
    <add name="Microsoft Windows Rights Management Services-Indents" value="0" /> 
    <trace autoflush="false" indentsize="4"/>
  2. Restart IIS by running IISRESET from a command prompt.

  3. After you collect the data that you need, remove the lines from the .config file that you added in step 1.

  4. Restart IIS by running IISRESET from a command prompt.

When you use trace on an RMS server, performance issues can occur, such as longer delays in use license acquisitions and rights account certificate issuance. Use trace only in limited circumstances to help you diagnose and troubleshoot existing issues.

What is clock skew and how should I manage it?

Clock skew is when the clock time on one computer differs from the clock time on another computer. It is a common occurrence, just as it is common for the wristwatches of any two people in a room to show slightly different times. Clock skew can cause problems whenever you specify a validity time in a license.

A validity time in a license is set according to the publisher's clock. Clock skew across these times can cause problems in two places in the publishing and consuming cycle:

  • When an application tries to acquire a use license by using a publishing license that has a validity time that ends in the past or begins in the future, according to the clock of the RMS server. In this case, the request will fail. This can occur for an end user when they request a use license, or for an application that is attempting to prelicense a document (to acquire a use license on behalf of a user).

  • If the license validity time has expired (or has not yet begun), the attempt to use the license will fail. Otherwise, only the rights that have expired (or are not yet valid) will be unavailable.

For example, if a publishing computer's clock is 15 minutes behind a consuming computer's clock, and the publisher creates a publishing license that specifies that the content expires in 15 minutes, the consumer would receive an unusable use license from the server because the rights to view the content granted by the use license would have already expired.

There is no perfect solution for clock skew problems. A good solution is to set the beginning validity time of a right earlier than the current time for consumers with clocks that are behind yours and, if possible, to extend the license validity time for users with clocks ahead of yours. It is recommended that you keep the impact of click skew problems in mind, especially when creating licenses with short validity times.