监视 Azure Rights Management 连接器Monitor the Azure Rights Management connector

适用于: Azure 信息保护、windows server 2016、windows Server 2012 R2、windows server 2012Applies to: Azure Information Protection, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

安装并配置 RMS 连接器后,可以使用以下方法和信息,从而监视连接器和组织使用 Azure 信息保护中 Azure Rights Management 服务的情况。After you install and configure the RMS connector, you can use the following methods and information to help you monitor the connector and your organization’s use of the Azure Rights Management service from Azure Information Protection.

应用程序事件日志条目Application event log entries

RMS 连接器使用应用程序事件日志来记录 “Microsoft RMS 连接器”**** 的条目。The RMS connector uses the Application event log to record entries for the Microsoft RMS connector.

例如,信息事件如下所示:For example, Information events such as:

  • ID 1000:用于确认连接器服务是否已启动ID 1000 confirm that the connector service has started

  • ID 1002:当服务器成功连接到 RMS 连接器ID 1002 when a server successfully connects to the RMS connector

  • ID 1004:每当授权帐户列表(列出所有帐户)下载到连接器时ID 1004 each time the list of authorized accounts (each account is listed) is downloaded to the connector

如果你还未将连接器配置为使用 HTTP,你应该会看到一个警告 ID 2002:客户正在使用不安全的 (HTTP) 连接。If you have not configured the connector to use HTTPS, expect to see a Warning ID 2002 that a client is using a non-secure (HTTP) connection.

如果连接器无法连接到 Azure Rights Management 服务,最有可能看到错误 3001。If the connector fails to connect to the Azure Rights Management service, you will most likely see Error 3001. 例如,这种连接失败的原因可能是 DNS 出现问题,或缺少一个或多个运行 RMS 连接器的服务器的 internet 访问。For example, this connection failure might be as a result of a DNS problem or lack of internet access for one or more servers running the RMS connector.

提示

RMS 连接器服务器无法连接到 Azure Rights Management 服务,通常是由 Web 代理配置引起的。When RMS connector servers can't connect to Azure Rights Management service, web proxy configurations are often the reason.

与所有事件日志条目一样,进一步查看消息,了解更多详细信息。As with all event log entries, drill in to the message for more details.

除了在首次部署连接器时检查事件日志以外,还应持续检查警告和错误。In addition to checking the event log when you first deploy the connector, check for warnings and errors on an ongoing basis. 连接器最初可能正常运行,但其他管理员可能会更改从属配置。The connector might be working as expected initially, but other administrators might change dependent configurations. 例如,其他管理员更改了 web 代理服务器配置,因此 RMS 连接器服务器无法再访问 internet (错误3001)或从指定为已授权使用连接器的组中删除计算机帐户(警告2001)。For example, another administrator changes the web proxy server configuration so that RMS connector servers can no longer access the internet (Error 3001) or removes a computer account from a group that you specified as authorized to use the connector (Warning 2001).

事件日志 ID 和说明Event log IDs and descriptions

通过以下各节来识别可能的事件 ID、说明和任何附加信息。Use the following sections to identify the possible event IDs, descriptions, and any additional information.


信息 1000Information 1000

Microsoft RMS 连接器 Web 服务已启动。The Microsoft RMS connector web service has started.

当 RMS 连接器首次尝试启动时,将记录此事件。This event is logged when the RMS connector first attempts to start.


信息 1001Information 1001

Microsoft RMS 连接器 Web 服务已停止。The Microsoft RMS connector web service has stopped.

当 RMS 连接器因正常操作而停止时,将记录此事件。This event is logged when the RMS connector stops as a result of normal operation. 例如,重新启动 IIS 或关闭计算机。For example, IIS is restarted or the computer is shut down.


信息 1002Information 1002

已允许授权服务器访问 Microsoft RMS 连接器。Access to the Microsoft RMS connector has been allowed for an authorized server.

当本地服务器中的帐户首次连接到 RMS 连接器,而该帐户在 RMS 连接器管理员工具中由 Azure RMS 管理员授权之后,将记录此事件。This event is logged when an account from an on-premises server first connects to the RMS connector, after the account has been authorized by the Azure RMS administrator in the RMS connector administrator tool. 事件消息将包含 SID、帐户名称和建立连接的计算机名称。The SID, account name, and the name of the computer making the connection is contained in the event message.


信息 1003Information 1003

来自下列客户端的连接已从非安全 (HTTP) 连接切换为安全 (HTTPS) 连接。The connection from the client listed below has switched from a non-secure (HTTP) connection to a secure (HTTPS) connection.

当本地服务器将其与 RMS 连接器的连接从 HTTP(安全级别较低)更改为 HTTPS(安全级别较高)时,将记录此事件。This event is logged when an on-premises server changes its connection to the RMS connector from HTTP (less secure) to HTTPS (more secure). 事件消息将包含 SID、帐户名称和建立连接的计算机名称。The SID, account name, and the name of the computer making the connection is contained in the event message.


信息 1004Information 1004

已更新授权帐户列表。The list of authorized accounts has been updated.

当 RMS 连接器下载了有权使用 RMS 连接器的帐户的最新列表(现有帐户及任何更改)时,将记录此事件。This event is logged when the RMS connector has downloaded the latest list of accounts (existing accounts and any changes) that are authorized to use the RMS connector. 此列表每 15 分钟下载一次,前提是 RMS 连接器可以与 Azure Rights Management 服务通信。This list is downloaded every 15 minutes, providing the RMS connector can communicate with the Azure Rights Management service.


警告 2000Warning 2000

HTTP 上下文中的用户主体丢失或无效,请验证 Microsoft RMS 连接器网站是否在 IIS 中禁用了匿名身份验证,而只启用了 Windows 身份验证。The user principal in the HTTP context is missing or invalid, please verify that the Microsoft RMS connector web site has Anonymous Authentication disabled in IIS and only Windows Authentication is enabled.

当 RMS 连接器无法唯一地标识尝试连接到 RMS 连接器的帐户时,将记录此事件。This event is logged when the RMS connector can't uniquely identify the account trying to connect to the RMS connector. 这可能是由于为 IIS 错误地配置了匿名身份验证或者帐户来自不受信任的林。This might be a result of anonymous authentication incorrectly configured for IIS or the account is from an untrusted forest.


警告 2001Warning 2001

试图对 Microsoft RMS 连接器进行未经授权的访问。Unauthorized access attempt to Microsoft RMS connector.

当帐户尝试连接到 RMS 连接器但失败时,将记录此事件。This event is logged when an account tries to connect to the RMS connector but fails. 导致此警告生成的最典型原因是,建立连接的帐户不在 RMS 连接器从 Azure Rights Management 服务下载的授权帐户列表中。The most typical reason for this warning is because the account that makes the connection is not in the downloaded list of authorized accounts that the RMS connector downloads from the Azure Rights Management service. 例如,最新列表尚未下载(此事件每 15 分钟发生一次),或在列表中找不到相应帐户。For example, the latest list is not yet downloaded (this event happens every 15 minutes) or the account is missing from the list.

另一个原因可能是因为在配置为使用 RMS 连接器的同一服务器上安装了该连接器。Another reason can be if you installed the RMS connector on the same server that is configured to use the connector. 例如,在运行 Exchange Server 的服务器上安装 RMS 连接器,并授权 Exchange 帐户使用该连接器。For example, you install the RMS connector on a server that runs Exchange Server and you authorize an Exchange account to use the connector. 由于 RMS 连接器无法正确地标识试图进行连接的帐户,因此不支持此配置。This configuration is not supported because the RMS connector cannot correctly identify the account when it attempts to connect.

事件消息包含尝试连接到 RMS 连接器的帐户和计算机的相关信息:The event message contains information about the account and computer trying to connect to the RMS connector:

  • 如果尝试连接到 RMS 连接器的帐户是有效帐户,则使用 RMS 连接器管理员工具将其添加到授权帐户列表中。If the account trying to connect to the RMS connector is a valid account, use the RMS connector administrator tool to add the account to the list of authorized accounts. 有关必须对哪些帐户授权的详细信息,请参阅将服务器添加到允许服务器列表For more information about which accounts must be authorized, see Add a server to the list of allowed servers.

  • 如果尝试连接到 RMS 连接器的帐户来自与 RMS 连接器服务器相同的计算机,请在单独的服务器上安装连接器。If the account trying to connect to the RMS connector is from the same computer as the RMS connector server, install the connector on a separate server. 有关连接器必备组件的详细信息,请参阅 RMS 连接器的必备组件For more information about the prerequisites for the connector, see Prerequisites for the RMS connector.


警告 2002Warning 2002

来自下列客户端的连接正在使用非安全 (HTTP) 连接。The connection from the client listed below is using a non-secure (HTTP) connection.

当本地服务器成功连接到 RMS 连接器,但连接使用 HTTP(安全级别较低),而不是 HTTPS (安全级别较高)时,将记录此事件。This event is logged when an on-premises server makes a successful connection to the RMS connector, but the connection uses HTTP (less secure) instead of HTTPS (more secure). 每个帐户(而非每个连接)记录一个事件。One event is logged per account rather than per connection. 如果帐户成功地切换为使用 HTTPS,但又还原为 HTTP,则将再次触发此事件。This event is triggered again if the account successfully switched to using HTTPS but reverts to HTTP.

事件消息包含帐户 SID、帐户名称和连接到 RMS 连接器的计算机名称。The event message contains the account SID, account name, and the name of the computer that makes the connection to the RMS connector.

有关如何将 RMS 连接器配置为使用 HTTPS 连接的信息,请参阅将 RMS 连接器配置为使用 HTTPSFor information about how to configure the RMS connector for HTTPS connections, see Configuring the RMS connector to use HTTPS.


警告 2003Warning 2003

授权列表为空。在填充了连接器的授权用户和组列表之前,服务将不可用。The list of authorizations is empty. The service will not be usable until the list of authorized users and groups for the connector is populated.

当 RMS 连接器没有授权帐户列表,从而导致任何本地服务器都无法连接到它时,将记录此事件。This event is logged when the RMS connector does not have a list of authorized accounts, so no on-premises servers can connect to it. RMS 连接器从 Azure RMS 每 15 分钟下载一次列表。The RMS connector downloads the list every 15 minutes from Azure RMS.

若要指定帐户,请使用 RMS 连接器管理员工具。To specify the accounts, use the RMS connector administrator tool. 有关详细信息,请参阅授权服务器使用 RMS 连接器For more information, see Authorizing servers to use the RMS connector.


错误 3000Error 3000

Microsoft RMS 连接器中发生未经处理的异常。An unhandled exception occurred in the Microsoft RMS connector.

每次 RMS 连接器遇到意外错误时都将记录此事件,且错误详细信息包含在事件消息中。This event is logged each time the RMS connector encounters an unexpected error, with the details of the error in the event message.

事件消息中的文本“请求失败,出现了空响应”**** 可识别一个可能的原因。One possible cause can be identified by the text The request failed with an empty response in the event message. 如果你看到此文本,则可能是因为你有一个网络设备在对本地服务器与 RMS 连接器服务器之间的数据包进行 SSL 检查。If you see this text, it might be because you have a network device that is doing SSL inspection on the packets between the on-premises servers and the RMS connector server. Azure Rights Management 服务不支持此配置,导致通信失败,并生成此事件日志消息。The Azure Rights Management service does not support this configuration and it results in a failed communication and this event log message.


错误3001Error 3001

下载授权信息时出现异常。An exception occurred while downloading authorization information.

如果 RMS 连接器无法下载有权使用 RMS 连接器的帐户的最新列表,将记录此事件。This event is logged if the RMS connector cannot download the latest list of accounts that are authorized to use the RMS connector. 事件消息中列出了错误详细信息。Details of the error are in the event message.


性能计数器Performance counters

安装 RMS 连接器后,它将自动创建 Microsoft Rights Management 连接器**** 性能计数器,有助于监视并改进使用 Azure Rights Management 服务的性能。When you install the RMS connector, it automatically creates Microsoft Rights Management connector performance counters that you might find useful to help you monitor and improve the performance of using the Azure Rights Management service.

例如,当文档或电子邮件受到保护时,经常会经历延迟。For example, you regularly experience delays when documents or emails are protected. 或者,当打开受保护文档或电子邮件时,也会经历延迟。Or, you experience delays when protected documents or emails are opened. 对于这些情况,性能计数器有助于确定延迟是由于连接器处理时间、Azure Rights Management 服务处理时间还是网络延迟所致。For these cases, the performance counters can help you determine whether the delays are due to processing time on the connector, processing time from the Azure Rights Management service, or network delays.

若要帮助你识别出现延迟的位置,请查找包含“连接器处理时间”****、“服务响应时间”**** 和“连接器响应时间”**** 的平均计数的计数器。To help you identify where the delay is occurring, look for counters that include average counts for Connector Processing Time, Service Response Time, and Connector Response Time. 例如:“授权成功批处理请求平均连接器响应时间”****。For example: Licensing Successful Batched Request Average Connector Response Time.

如果你最近添加了新的服务器帐户以使用连接器,你可以检查计数器“上次授权策略更新后的时间”**** 来确认在你对其更新后,连接器已经下载了列表,或者你是否需要等待稍长的时间(最多 15 分钟)。If you have recently added new server accounts to use the connector, a good counter to check is Time since last authorization policy update to confirm that the connector has downloaded the list since you updated it, or whether you need to wait a little longer (up to 15 minutes).

日志记录Logging

使用情况日志记录可帮助你识别电子邮件和文档何时受到保护以及何时使用。Usage logging helps you identify when emails and documents are protected and consumed. 当 RMS 连接器用于保护和使用内容时,日志中的用户 ID 字段包含 Aadrm_S-1-7-0**** 的服务主体名称。When the RMS connector is used to protect and consume content, the user ID field in the logs contains the service principal name of Aadrm_S-1-7-0. 此名称是自动为 RMS 连接器创建。This name is automatically created for the RMS connector.

有关使用日志记录的详细信息,请参阅记录和分析 Azure 信息保护中的保护使用情况For more information about usage logging, see Logging and analyzing the protection usage from Azure Information Protection.

如果需要更详细的日志记录以供诊断使用,可以使用 Windows Sysinternals 中的 DebugviewIf you need more detailed logging for diagnosis purposes, you can use Debugview from Windows Sysinternals. 在 IIS 中修改默认网站的 web.config 文件,启用对 RMS 连接器的跟踪:Enable tracing for the RMS connector by modifying the web.config file for the Default site in IIS:

  1. 在“%programfiles%\Microsoft Rights Management connector\Web Service”**** 中找到 web.config 文件。Locate the web.config file from %programfiles%\Microsoft Rights Management connector\Web Service.

  2. 找到以下行:Locate the following line:

    <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true"/>
    
  3. 将上一行代码替换为以下文本:Replace that line with the following text:

    <trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true"/>
    
  4. 停止和启动 IIS 以激活跟踪。Stop and start IIS to activate tracing.

  5. 当你捕获了所需的跟踪时,还原步骤 3 的行,并再次停止和启动 IIS。When you have captured the traces that you need, revert the line in step 3, and stop and start IIS again.