[Original] ad RMS client service discovery

I wanted to write an article about configuring ad RMS to support exists. Before that, I must describe the working mechanism of the RMS client service discovery.

What is ad RMS client service discovery (word in the RMS document )? To put it bluntly, how does one find the RMS server on the RMS client.

There are three ways for the RMS client to find the RMS Server:

1. Find SCP in AD. In the Windows domain network environment, when the client uses the RMS function, it queries SCP (service connection point) in the ad. The SCP attribute records the URL of the RMS service in the forest. This is a recommended method to deploy the ad RMS environment without any other configuration on the RMS client.

2. RMS client registry substitution. You can directly create the key value of the RMS service URL in the RMS client registry. The location is as follows:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ msdrm \ servicelocation

Create two items below:

• Activation. This option is used to replace the default ad RMS certificate service configured in SCP. The syntax of this item is HTTP (s )://<Your cluster>/_ Wmcs/certification, where <Your Cluster> Is the URL of the root cluster that should be used for the certificate.
• Enterprisepublishing. This option is used to replace the default ad RMS Authorization Service that the ad RMS client connects. The syntax of this item is HTTP (s )://<Your cluster>/_ Wmcs/licensing, where <Your Cluster> Is the URL that only authorizes the cluster.

This method is applicable to scenarios where the client is not added to the Windows domain, or the client is not accessible to the Windows network domain environment (such as exclusive. Of course, if the client registry also has these substitution items that can access the ad, the priority of the Registry substitution item is higher than that of the ad scp.

The following is a registry sample file for these registry items.

 

Code

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ msdrm]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ msdrm \ servicelocation]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ msdrm \ servicelocation \ activation]
@ = Https://rms.rmstest.com/_wmcs/certification

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ msdrm \ servicelocation \ enterprisepublishing]
@ = Https://rms.rmstest.com/_wmcs/licensing

3. Search for Intranet and exclusive Authorization Service URLs in documents protected by RMS permissions. When publishing a document protected by permissions, the document creator adds the Intranet and exclusive Authorization Service URLs to this document. When the RMS client opens a document protected by permissions for the first time and other service discovery methods are unavailable, the client can retrieve the authorization URL from the document.

We can use NotePad to open a Word document protected by the RMS permission to see these URLs, as shown in.

 

 

The following is a computer screen showing activation of the RMS permission restriction function for different scenarios.

Scenario 1: The registry of a computer that has not been added to the domain has not been changed. When you click the permission restriction menu in the MS Office application for the first time, the "Information permission management" Service (Windows Live ID account) Free Registration Wizard (such as) is displayed in ms ). Because the RMS client cannot find the address of the RMS service in the registry or find SCP in the ad, we recommend that you use the "Information permission management" service of Ms.

Scenario 2: For a computer that has not been added to the domain, the RMS service replacement item has been added to the Registry. When you click the permission restriction menu in the MS Office application for the first time, the "Select Service" window is displayed, for example ).

The first option is the same as scenario 1;

The second option is to use the enterprise's ad RMS service. After you select the second option and press "OK", the RMS client will connect to the RMS service address recorded in the registry, for SSL-encrypted HTTPS services, certificate security alarms (such as) may pop up ).

Click "yes" to continue. A prompt (for example) indicating that the website is not in a trusted area (you can add it to a trusted area) may pop up ).

Click "yes" to continue. The logon window is displayed.

After logging on, you can see a window for setting read and Change permissions.

Scenario 3: The registry has not been changed for a computer that has not been added to the domain. When you open a file protected by permissions for the first time, the RMS client first searches for the Intranet Authorization Service URL and tries to connect to the file, if the connection fails, the system tries to connect to the exclusive Authorization Service URL. The following prompt is displayed.

The URL for connecting to the Intranet Authorization Service prompts:

The following message is displayed when you connect to the exclusive Authorization Service URL:

 

It is common for computers that are added to the domain to search for the RMS service. We will not detail it here.