How can I troubleshoot RMS server?

DP 1

Hello,

We are configuring an AD LAB following Cloud Exit procedures. We have imported keys into the HSM and the TPD seems to be imported correctly.

I am encountering an error while attempting to access a protected file and would like to know how to begin troubleshooting.

I have heard mentions of an RMS Analyzer that I would like to try but the download appears to be removed.

How can I begin troubleshooting?

Thank you.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-13T00:46:22.557+00:00

@DP
Thank you for your question!

Are you able to provide any documentation that you followed when setting up your AD lab using Cloud Exit procedures? Additionally, when you referenced HSM are you using an HSM (i.e. Azure Key Vault) to decrypt? Or what're you using these keys for?

Any additional information would be greatly appreciated!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
DP 1 Reputation point

2020-11-14T01:02:14.723+00:00

Hello James,

Thank you for your attention.

Since we are BYOK we store our keys in an nCipher security appliance.
Here are the guidelines I follow.
https://techcommunity.microsoft.com/t5/microsoft-security-and/how-to-prepare-an-azure-information-protection-cloud-exit-plan/ba-p/382631

We have provisioned an AD RMS Server with an HSM which manages our key. We have modified the registry to redirect all traffic that would normally go cloud to our AD RMS server. The above error occurs both in powershell when attempting to unprotect and when simply trying to view within outlook.

I hope this provides some more information thank you for your time.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-16T21:37:06.72+00:00

@DP
Thank you for the additional information and documentation!

I've reached out to our Azure Information Protection engineering team for additional guidance on this issue and will update as soon as possible. If this is an urgent issue, please let me know and I'd be more then happy to enable your subscription for a one-time free technical support request so our support engineers can take a look into this issue.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
James Hamil 21,851 Reputation points Microsoft Employee

2020-11-26T00:06:05.47+00:00

Hi, do you still require assistance? If not, please mark the answer as verified.

Thank you,
James

1 answer

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-17T19:05:27.12+00:00
@DP
Thank your for your time and patience throughout this issue. I received an update from our engineering team and will post their troubleshooting steps below.

Troubleshooting in order to narrow down the issue:

Verify that the HSM-based key is working properly on AD RMS by creating an AD RMS template on the AD RMS server.

Double check the imported TPD is marked as the active key in AIP, using the command Get-AipServiceKeys, also take note of the KeyIdentifier of the active key.

Reset a new client that does not have registry redirections configured, protect a Word document. Open the Word document with Notepad and search the KeyIdentifer found in the previous step.

Retry unprotecting the protected document on the client with AD RMS redirections.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please sign in to rate this answer.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-19T19:02:11.373+00:00

@DP
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

DP 1 Reputation point

2020-11-19T22:18:21.067+00:00

Hello @JamesTran-MSFT

This is a great start we did not think to attempt this. Unfortunately I will not be able to execute until next Tuesday!

In preperation for next Tuesday if the tenant already has defined templates is there a way to import them or do we create our own just for testing purposes?

Thank you

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-20T18:17:29.39+00:00

@DP
Thank you for the follow up! If you can, I'd create your own just for testing purposes so we can narrow down this issue.

I look forward to your response on Tuesday and if you have any other questions in the meantime, please let me know.
Thank you for your time and patience throughout this issue.

DP 1 Reputation point

2020-11-24T03:16:13.703+00:00

Troubleshooting responses

We were able to create a test template and protect a word doc. This doc was successfully opened on another domain machine.
FYI when trying to open content protected outside our lab we see a message about configuring computer for ADRMS and another misconfiguration error message.

Unfortunately when we run the above powershell command get-aipservicekeys we receive the attached error. Could this be due to our being offline?

Thank you,
D

DP 1 Reputation point

2020-11-24T03:16:36.33+00:00

Hello @JamesTran-MSFT ,

For clarity sake, I thought I would take another stab at fully explaining what we are attempting to accomplish. We have an offline lab environment that we need to be able to access and decrypt items that are AIP encrypted. This offline lab is completely segmented from our online environment and has its own Active Directory, user accounts, etc. After speaking to MS support they suggested we follow the cloud exit procedures in order to essentially get an offline decryption key that could be installed in our offline lab's RMS server. Since our initial on-prem RMS -> AIP migration included having our keys stored in an HSM, we copied over the original keys to a new HSM connected to our offline RMS server and imported the original pre migration TPD's as well.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-24T17:32:39.147+00:00

@DP
Thank you for the detailed follow up!

Since you're working with our Support team do you have the support request number? With the SR, I can follow your issue and provide this to our PG teams for their awareness. Additionally, since you're actively working with our support teams, I'd recommend continuing to work closely with them since they can get a more in-depth picture of your environment and can reach out to our product team as needed.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

DP 1 Reputation point

2020-11-24T21:02:30.047+00:00

@JamesTran-MSFT
We're not actively working with a Support team and I don't have an SR. I would like to continue this discussion please let me know if you're willing to continue your assistance.

Thank you,
D

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2020-11-25T17:05:23.21+00:00

@DP
Thank you for the clarification and quick response!

Since you're still having issues we'd like to take a closer look into your environment, can please email me with the info below. I'll go ahead and enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.

Email: AzCommunity@microsoft.com
Subject: ATTN - James Tran
Body:
Azure Subscription ID
Link to this issue

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sign in to comment