Rights Management Service 客户端部署说明Rights Management Service client deployment notes

适用于: Active Directory Rights Management Services、 Azure 信息保护、windows 8、Windows 8.1、windows 10、windows server 2012、windows Server 2012 R2、windows server 2016Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Rights Management 服务客户端(RMS 客户端)版本 2 也称为 MSIPC 客户端。The Rights Management Service client (RMS client) version 2 is also known as the MSIPC client. 它是在 Windows 计算机上安装的软件,可用来与本地或云中的 Microsoft Rights Management 服务通信,以帮助保护对流经应用程序和设备的信息的访问和使用,无论这些信息是在组织边界的内部还是受管边界的外部。It is software for Windows computers that communicates with Microsoft Rights Management services on-premises or in the cloud to help protect access to and usage of information as it flows through applications and devices, within the boundaries of your organization, or outside those managed boundaries.

除了与Azure 信息保护统一标签客户端一起提供以外,RMS 客户端还可作为可选下载提供,它可以确认和接受其许可协议,并可与第三方软件自由分发,使客户端能够保护和使用受 Rights Management 服务保护的内容。In addition to shipping with the Azure Information Protection unified labeling client, the RMS client is available as an optional download that can, with acknowledgment and acceptance of its license agreement, be freely distributed with third-party software so that clients can protect and consume content that has been protected by Rights Management services.

重新分发 RMS 客户端Redistributing the RMS client

可以通过其他应用程序和 IT 解决方案自由地重新分发和捆绑 RMS 客户端。The RMS client can be freely redistributed and bundled with other applications and IT solutions. 如果你是应用程序开发人员或解决方案提供商,并想要重新分发 RMS 客户端,可以使用两个选项:If you are an application developer or solution provider and want to redistribute the RMS client, you have two options:

  • 建议:在应用程序安装过程中嵌入 RMS 客户端安装程序,然后在静默模式下运行(下一部分详述的 /quiet 开关)。Recommended: Embed the RMS client installer in your application installation and run it in silent mode (the /quiet switch, detailed in the next section).

  • 使 RMS 客户端成为应用程序的必备组件。Make the RMS client a prerequisite for your application. 如果采用此方法,则可能需要先向用户提供有关如何获取、安装以及更新计算机以使用该客户端的其他说明,然后用户才能使用你的应用程序。With this option, you might need to provide users with additional instructions for them to obtain, install, and update their computers with the client before they can use your application.

安装 RMS 客户端Installing the RMS client

RMS 客户端包含在名为 setup_msipc_arch .exe 的安装程序可执行文件中,其中 <arch> 为 x86(对于 32 位客户端计算机)或 x64(对于 64 位客户端计算机)> <The RMS client is contained in an installer executable file named setup_msipc_<arch>.exe, where <arch> is either x86 (for 32-bit client computers) or x64 (for 64-bit client computers). 64 位 (x64) 安装程序包将同时安装 32 位运行时组件(以与在 64 位操作系统安装上运行的 32 位应用程序兼容)以及 64 位运行时组件(以支持本机 64 位应用程序)。The 64-bit (x64) installer package installs both a 32-bit runtime executable for compatibility with 32-bit applications that run on a 64-bit operating system installation, as well as a 64-bit runtime executable for supporting native 64-bit applications. 32 位 (x86) 安装程序不会在 64 位 Windows 安装上运行。The 32-bit (x86) installer does not run on a 64-bit Windows installation.

备注

若要安装 RMS 客户端,必须有提升的权限,例如,是本地计算机上管理员组的成员。You must have elevated privileges to install the RMS client, such as a member of the Administrators group on the local computer.

可以使用以下安装方法之一来安装 RMS 客户端:You can install the RMS client by using either of the following installation methods:

  • 静默模式。Silent mode. 通过使用作为命令行选项的一部分的 /quiet 开关,可以以静默方式在客户端计算机上安装 RMS 客户端。By using the /quiet switch as part of the command-line options, you can silently install the RMS client on computers. 以下示例命令演示了以静默模式在 64 位客户端计算机上安装 RMS 客户端:The following example shows a silent mode installation for the RMS client on a 64-bit client computer:

    setup_msipc_x64.exe /quiet
    
  • 交互模式。Interactive mode. 或者,也可使用由 RMS 客户端安装向导提供的基于 GUI 的交互式安装程序,来安装 RMS 客户端。Alternately, you can install the RMS client by using the GUI-based setup program that's provided by the RMS Client Installation wizard. 要以交互方式安装,请双击 RMS 客户端安装程序包 (setup_msipc_arch .exe),该包位于在本地计算机上复制或下载它时所在的文件夹中<>To install interactively, double-click the RMS client installer package (setup_msipc_<arch>.exe) in the folder to which it was copied or downloaded on your local computer.

有关 RMS 客户端的问题和解答Questions and answers about the RMS client

以下部分包含有关 RMS 客户端的常见问题及其解答。The following section contains frequently asked questions about the RMS client and the answers to them.

哪些操作系统支持 RMS 客户端?Which operating systems support the RMS client?

以下操作系统支持 RMS 客户端:The RMS client is supported with the following operating systems:

Windows 服务器操作系统Windows Server Operating System Windows 客户端操作系统Windows Client Operating System
Windows Server 2016Windows Server 2016 Windows 10Windows 10
Windows Server 2012 R2Windows Server 2012 R2 Windows 8.1Windows 8.1
Windows Server 2012Windows Server 2012 Windows 8Windows 8
Windows Server 2008 R2Windows Server 2008 R2 Windows 7(最少装有 SP1)Windows 7 with minimum of SP1

哪些处理器或平台支持 RMS 客户端?Which processors or platforms support the RMS client?

x86 和 x64 计算平台支持 RMS 客户端。The RMS client is supported on x86 and x64 computing platforms.

RMS 客户端安装在哪个位置?Where is the RMS client installed?

默认情况下,RMS 客户端安装在 %ProgramFiles%\Active Directory Rights Management Services Client 2.<minor version number> 中。By default, the RMS client is installed in %ProgramFiles%\Active Directory Rights Management Services Client 2.<minor version number>.

与 RMS 客户端软件关联的文件有哪些?What files are associated with the RMS client software?

以下文件将连同 RMS 客户端软件一起安装:The following files are installed as part of the RMS client software:

  • Msipc。dllMsipc.dll

  • Ipcsecproc.dllIpcsecproc.dll

  • Ipcsecproc_ssp.dllIpcsecproc_ssp.dll

  • MSIPCEvents.manMSIPCEvents.man

除了上述文件外,RMS 客户端还将安装使用 44 种语言的多语言用户界面 (MUI) 支持文件。In addition to these files, the RMS client also installs multilingual user interface (MUI) support files in 44 languages. 若要验证支持的语言,请运行 RMS 客户端安装,然后在安装完成后,查看默认路径下的多语言支持文件夹中的内容。To verify the languages supported, run the RMS client installation and when the installation is complete, review the contents of the multilingual support folders under the default path.

在我安装受支持的操作系统时,是否默认包含 RMS 客户端?Is the RMS client included by default when I install a supported operating system?

No。No. 此版本的 RMS 客户端是作为可选下载产品交付的,可在运行受支持 Microsoft Windows 操作系统版本的计算机上单独安装。This version of the RMS client ships as an optional download that can be installed separately on computers running supported versions of the Microsoft Windows operating system.

Microsoft Update 是否会自动更新 RMS 客户端?Is the RMS client automatically updated by Microsoft Update?

如果此 RMS 客户端是使用静默安装选项安装的,则 RMS 客户端将继承当前的 Microsoft 更新设置。If you installed this RMS client by using the silent installation option, the RMS client inherits your current Microsoft Update settings. 如果 RMS 客户端是使用基于 GUI 的安装程序安装的,则 RMS 客户端安装向导会提示启用 Microsoft 更新。If you installed the RMS client by using the GUI-based setup program, the RMS client installation wizard prompts you to enable Microsoft Update.

RMS 客户端设置RMS client settings

以下部分包含有关 RMS 客户端的设置信息。The following section contains settings information about the RMS client. 如果使用 RMS 客户端的应用程序或服务出现问题,这些信息可能很有帮助。This information might be helpful if you have problems with applications or services that use the RMS client.

备注

某些设置取决于启用 RMS 的应用程序是作为客户端模式应用程序运行(如 Microsoft Word 和 Outlook,或带有 Windows 文件资源管理器的 Azure 信息保护客户端),还是作为服务器模式应用程序运行(如 SharePoint 和 Exchange)。Some settings depend on whether the RMS-enlightened application runs as a client mode application (such as Microsoft Word and Outlook, or the Azure Information Protection client with Windows File Explorer), or server mode application (such as SharePoint and Exchange). 在下表中,这些设置分别标识为客户端模式服务器模式In the following tables, these settings are identified as Client Mode and Server Mode, respectively.

RMS 客户端将许可证存储在客户端计算机上的哪个位置?Where the RMS client stores licenses on client computers

RMS 客户端将许可证存储在本地磁盘上,并且还在 Windows 注册表中缓存一些信息。The RMS client stores licenses on the local disk and also caches some information in the Windows registry.

说明Description 客户端模式路径Client Mode Paths 服务器模式路径Server Mode Paths
许可证存储位置License store location %localappdata%\Microsoft\MSIPC%localappdata%\Microsoft\MSIPC %allusersprofile%\Microsoft\MSIPC\Server\SID<>%allusersprofile%\Microsoft\MSIPC\Server\<SID>
模板存储位置Template store location %localappdata%\Microsoft\MSIPC\Templates%localappdata%\Microsoft\MSIPC\Templates %allusersprofile%\Microsoft\MSIPC\Server\SID<>%allusersprofile%\Microsoft\MSIPC\Server\<SID>
注册表位置Registry location HKEY_CURRENT_USERHKEY_CURRENT_USER
\Software\Software
\Classes\Classes
\Local Settings\Local Settings
\Software\Software
\Microsoft\Microsoft
\MSIPC\MSIPC
HKEY_CURRENT_USERHKEY_CURRENT_USER
\Software\Software
\Microsoft\Microsoft
\MSIPC\MSIPC
\Server\Server
\SID< >\<SID>

备注

<SID> 是用于运行服务器应用程序的帐户的安全标识符 (SID)。<SID> is the secure identifier (SID) for the account under which the server application is running. 例如,如果应用程序在内置的网络服务帐户下运行,请使用该帐户的已知 SID 的值 (S-1-5-20) 替换 SID<>For example, if the application is running under the built-in Network Service account, replace <SID> with the value of the well-known SID for that account (S-1-5-20).

RMS 客户端的 Windows 注册表设置Windows registry settings for the RMS client

你可以使用 Windows 注册表项设置或修改 RMS 客户端配置。You can use Windows registry keys to set or modify some RMS client configurations. 例如,作为已启用 RMS、要与 AD RMS 服务器通信的应用程序的管理员,你可能想要根据客户端计算机在 Active Directory 拓扑内的当前位置,更新企业服务位置(即,替代当前选择发布的 AD RMS 服务器)。For example, as an administrator for RMS-enlightened applications that communicate with AD RMS servers, you might want to update the enterprise service location (override the AD RMS server that is currently selected for publishing) depending on the client computer's current location within your Active Directory topology. 或者,你可能想要在客户端计算机上启用 RMS 跟踪,以帮助排查启用 RMS 的应用程序的问题。Or, you might want to enable RMS tracing at the client computer, to help troubleshoot a problem with an RMS-enlightened application. 使用下表来了解可针对 RMS 客户端更改的注册表设置。Use the following table to identify the registry settings that you can change for the RMS client.

任务Task 设置Settings
如果客户端版本是 1.03102.0221 或更高版本:If the client is version 1.03102.0221 or later:

控制应用程序数据收集To control application data collection
重要提示:为了尊重用户隐私,作为管理员,你在启用数据收集之前必须征得用户同意。Important: In order to honor user privacy, you as the administrator, must ask the user for consent before enabling data collection.

如果启用数据收集,则会同意通过 internet 向 Microsoft 发送数据。If you enable data collection, you are agreeing to send data to Microsoft over the internet. Microsoft 利用此数据保证并改进 Microsoft 产品和服务的质量、安全性和完整性。Microsoft uses this data to provide and improve the quality, security, and integrity of Microsoft products and services. 例如,Microsoft 会分析性能和可靠性(如使用哪些功能、功能的响应速度、设备性能、用户界面交互和遇到的任何产品问题)。For example, Microsoft analyzes performance and reliability, such as what features you use, how quickly the features respond, device performance, user interface interactions, and any problems you experience with the product. 数据还包括软件(如当前运行的软件)以及 IP 地址的配置信息。Data also includes information about the configuration of your software, such as the software that you are currently running, and the IP address.

对于版本 1.0.3356 或更高版本:For version 1.0.3356 or later:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft\MSIPCHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft\MSIPC
REG_DWORD: DiagnosticAvailabilityREG_DWORD: DiagnosticAvailability

对于 1.0.3356 之前的版本:For versions before 1.0.3356:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft\MSIPCHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft\MSIPC
REG_DWORD: DiagnosticStateREG_DWORD: DiagnosticState

值: 0 表示(默认)通过使用环境属性 IPC_EI_DATA_COLLECTION_ENABLED 定义应用程序;1 表示禁用;2 表示启用Value: 0 for Application defined (default) by using the environment property IPC_EI_DATA_COLLECTION_ENABLED, 1 for Disabled, 2 for Enabled

注意:如果基于 32 位 MSIPC 的应用程序在 64 位版本的 Windows 上运行,则位置为 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC。Note: If your 32-bit MSIPC-based application is running on a 64-bit version of Windows, the location is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC.
仅限 AD RMS:AD RMS only:

更新客户端计算机的企业服务位置To update the enterprise service location for a client computer
更新以下注册表项:Update the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterpriseCertificationHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification
REG_SZ: defaultREG_SZ: default

值: <http or https>://RMS_Cluster_Name/_wmcs/CertificationValue:<http or https>://RMS_Cluster_Name/_wmcs/Certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterprisePublishingHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterprisePublishing
REG_SZ: defaultREG_SZ: default

值: <http 或 https >://RMS_Cluster_Name/_wmcs/licensingValue: <http or https>://RMS_Cluster_Name/_wmcs/Licensing
启用和禁用跟踪To enable and disable tracing 更新以下注册表项:Update the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPCHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC
REG_DWORD: TraceREG_DWORD: Trace

Value: 1 表示启用跟踪,0 表示禁用跟踪(默认)Value: 1 to enable tracing, 0 to disable tracing (default)
更改模板刷新的频率(以天为单位)To change the frequency in days to refresh templates 以下注册表值指定当未设置 TemplateUpdateFrequencyInSeconds 值时,在用户计算机上刷新模板的频率。The following registry values specify how often templates refresh on the user's computer if the TemplateUpdateFrequencyInSeconds value is not set. 如果这两个值都未设置,则应用程序使用 RMS 客户端(版本 1.0.1784.0)下载模板所遵循的默认刷新间隔为 1 天。If neither of these values are set, the default refresh interval for applications using the RMS client (version 1.0.1784.0) to download templates is 1 day. 在以前的版本中,默认值为 7 天。Prior versions have a default value of every 7 days.

客户端模式:Client Mode:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
REG_DWORD:TemplateUpdateFrequencyREG_DWORD: TemplateUpdateFrequency

Value: 指定下载间隔天数的整数值(最小为 1)。Value: An integer value that specifies the number of days (minimum of 1) between downloads.

服务器模式:Server Mode:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server\<SID>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server\<SID>
REG_DWORD:TemplateUpdateFrequencyREG_DWORD: TemplateUpdateFrequency

Value: 指定下载间隔天数的整数值(最小为 1)。Value: An integer value that specifies the number of days (minimum of 1) between downloads.
更改模板刷新的频率(以秒为单位)To change the frequency in seconds to refresh templates

重要提示:如果指定此设置,将忽略以天为单位的模板刷新频率值。Important: If this setting is specified, the value to refresh templates in days is ignored. 指定其中一项,而不要同时指定两项。Specify one or the other, not both.
以下注册表值指定在用户计算机上刷新模板的频率。The following registry values specify how often templates refresh on the user's computer. 如果未设置此值或者用于更改以天为单位的频率的值 (TemplateUpdateFrequency),则应用程序使用 RMS 客户端(版本 1.0.1784.0)下载模板所遵循的默认刷新间隔为 1 天。If this value or the value to change the frequency in days (TemplateUpdateFrequency) is not set, the default refresh interval for applications using the RMS client (version 1.0.1784.0) to download templates is 1 day. 在以前的版本中,默认值为 7 天。Prior versions have a default value of every 7 days.

客户端模式:Client Mode:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
REG_DWORD:TemplateUpdateFrequencyInSecondsREG_DWORD: TemplateUpdateFrequencyInSeconds

Value: 指定下载间隔秒数的整数值(最小为 1)。Value: An integer value that specifies the number of seconds (minimum of 1) between downloads.

服务器模式:Server Mode:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server\<SID>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server\<SID>
REG_DWORD:TemplateUpdateFrequencyInSecondsREG_DWORD: TemplateUpdateFrequencyInSeconds

Value: 指定下载间隔秒数的整数值(最小为 1)。Value: An integer value that specifies the number of seconds (minimum of 1) between downloads.
仅限 AD RMS:AD RMS only:

在下一次发布请求时立即下载模板To download templates immediately at the next publishing request
在测试和评估期间,你可能希望 RMS 客户端尽快下载模板。During testing and evaluations, you might want the RMS client to download templates as soon as possible. 对于此配置,可删除以下注册表项,使 RMS 客户端在下一次发布请求时立即下载模板,而不是按 TemplateUpdateFrequency 注册表设置指定的时间等待:For this configuration, remove the following registry key and the RMS client then downloads templates immediately at the next publishing request rather than wait for the time specified by the TemplateUpdateFrequency registry setting:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name>\TemplateHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name>\Template

注意:<Server Name> 可以同时具有外部 (corprights.contoso.com) 和内部 (corprights) URL,因此可能具有两个不同项。Note: <Server Name> could have both external (corprights.contoso.com) and internal (corprights) URLs and therefore two different entries.
仅限 AD RMS:AD RMS only:

启用联合身份验证支持To enable support for federated authentication
如果 RMS 客户端使用联合信任连接到 AD RMS 群集,则你必须配置联合主领域。If the RMS client computer connects to an AD RMS cluster by using a federated trust, you must configure the federation home realm.

HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FederationHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\Federation
REG_SZ: FederationHomeRealmREG_SZ: FederationHomeRealm

值: 此注册表项的值是联合身份验证服务的统一资源标识符 (URI)(例如,“http://TreyADFS.trey.net/adfs/services/trust”)。Value: The value of this registry entry is the uniform resource identifier (URI) for the federation service (for example, "http://TreyADFS.trey.net/adfs/services/trust").

请注意:对于此值,请务必指定 http 而不是 https。Note: It is important that you specify http and not https for this value. 此外,如果基于 32 位 MSIPC 的应用程序在 64 位版本的 Windows 上运行,则位置为 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation。In addition, if your 32-bit MSIPC-based application is running on a 64-bit version of Windows, the location is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation. 有关配置示例,请参阅部署 Active Directory Rights Management Services 与 Active Directory 联合身份验证服务For an example configuration, see Deploying Active Directory Rights Management Services with Active Directory Federation Services.
仅限 AD RMS:AD RMS only:

支持需要对用户输入进行基于窗体的身份验证的合作伙伴联合身份验证服务器To support partner federation servers that require forms-based authentication for user input
默认情况下,RMS 客户端在静默模式下运行,并且不需要用户输入。By default, the RMS client operates in silent mode and user input is not required. 但是,合作伙伴联合身份验证服务器可能会配置为需要用户输入,例如通过基于窗体的身份验证等方式。Partner federation servers, however, might be configured to require user input such as by way of forms-based authentication. 在这种情况下,RMS 客户端必须配置为忽略静默模式,以便联合身份验证窗体显示在浏览器窗口中,并提示用户进行身份验证。In this case, you must configure the RMS client to ignore silent mode so that the federated authentication form appears in a browser window and the user is promoted for authentication.

HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FederationHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\Federation
REG_DWORD: EnableBrowserREG_DWORD: EnableBrowser

注意:如果联合身份验证服务器配置为使用基于窗体的身份验证,则此项是必需的。Note: If the federation server is configured to use forms-based authentication, this key is required. 如果联合服务器配置为使用集成 Windows 身份验证,则此项不是必需的。If the federation server is configured to use integrated Windows authentication, this key is not required.
仅限 AD RMS:AD RMS only:

阻止 ILS 服务使用To block ILS service consumption
默认情况下,RMS 客户端支持使用受 ILS 服务保护的内容,但是可以通过设置以下注册表项对它进行配置以阻止此行为。By default, the RMS client enables consuming content protected by the ILS service but you can configure the client to block this service by setting the following registry key. 如果此注册表项设置为阻止 ILS 服务,则对受 ILS 服务保护的内容的任何打开和使用尝试都将返回以下错误:If this registry key is set to block the ILS service, any attempts to open and consume content protected by the ILS service returns the following error:
HRESULT_FROM_WIN32(ERROR_ACCESS_DISABLED_BY_POLICY)HRESULT_FROM_WIN32(ERROR_ACCESS_DISABLED_BY_POLICY)

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
REG_DWORD:DisablePassportCertificationREG_DWORD: DisablePassportCertification

Value: 1 表示阻止 ILS 使用,0 表示允许 ILS 使用(默认)Value: 1 to block ILS consumption, 0 to allow ILS consumption (default)

管理 RMS 客户端的模板分发Managing template distribution for the RMS client

通过模板,用户和管理员可轻松快速地应用 Rights Management 保护,并且 RMS 客户端会自动从其 RMS 服务器或服务下载模板。Templates make it easy for users and administrators to quickly apply Rights Management protection and the RMS client automatically downloads templates from its RMS servers or service. 如果将模板放在以下文件夹位置中,则 RMS 客户端不会从其默认位置下载任何模板,而是下载放置在该文件夹中的模板。If you put the templates in the following folder location, the RMS client does not download any templates from its default location and instead, download the templates that you have put in this folder. RMS 客户端可能会继续从其他可用 RMS 服务器下载模板。The RMS client might continue to download templates from other available RMS servers.

客户端模式: %localappdata%\Microsoft\MSIPC\UnmanagedTemplatesClient Mode: %localappdata%\Microsoft\MSIPC\UnmanagedTemplates

服务器模式: %allusersprofile%\Microsoft\MSIPC\Server\UnmanagedTemplates\ <SID>Server Mode: %allusersprofile%\Microsoft\MSIPC\Server\UnmanagedTemplates\<SID>

如果你使用此文件夹,则除了模板应由 AD RMS 服务器发布,并且应使用 .xml 文件扩展名以外,没有其他必须遵循的特殊命名约定。When you use this folder, there is no special naming convention required except that the templates should be issued by the RMS server or service and they must have the .xml file name extension. 例如,Contoso-Confidential.xml 或 Contoso-ReadOnly.xml 是有效的名称。For example, Contoso-Confidential.xml or Contoso-ReadOnly.xml are valid names.

仅限 AD RMS:将 RMS 客户端限制为仅使用受信任的 AD RMS 服务器AD RMS only: Limiting the RMS client to use trusted AD RMS servers

可以通过对本地计算机上的 Windows 注册表做出以下更改,将 RMS 客户端限制为仅使用受信任的特定 AD RMS 服务器。The RMS client can be limited to using only specific trusted AD RMS servers by making the following changes to the Windows registry on local computers.

将 RMS 客户端限制为仅使用受信任的 AD RMS 服务器To enable limiting RMS client to use only trusted AD RMS servers

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServersHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServers\

    REG_DWORD:AllowTrustedServersOnlyREG_DWORD:AllowTrustedServersOnly

    值: 如果指定一个非零值,则 RMS 客户端只信任 TrustedServers 列表中配置的特定服务器以及 Azure Rights Management 服务。Value: If a non-zero value is specified, the RMS client trusts only the specified servers that are configured in the TrustedServers list and the Azure Rights Management service.

将成员添加到受信任的 AD RMS 服务器列表To add members to the list of trusted AD RMS servers

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServersHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServers\

    REG_SZ:URL_or_HostName><REG_SZ:<URL_or_HostName>

    值: 在此注册表项位置中的字符串值可以是 DNS 域名格式(例如 adrms.contoso.com),也可以是指向受信任 AD RMS 服务器的完整 URL(例如 https://adrms.contoso.comValue: The string values in this registry key location can be either DNS domain name format (for example, adrms.contoso.com) or full URLs to trusted AD RMS servers (for example, https://adrms.contoso.com). 如果指定的 URL 以 https:// 开头,RMS 客户端会使用 SSL 或 TLS 来联系指定的 AD RMS 服务器。If a specified URL starts with https://, the RMS client uses SSL or TLS to contact the specified AD RMS server.

RMS 服务发现RMS service discovery

RMS 服务发现可让 RMS 客户端在保护内容之前检查要与哪个 RMS 服务器或服务通信。RMS service discovery lets the RMS client check which RMS server or service to communicate with before protecting content. 当 RMS 客户端使用受保护的内容时,也可能会发生服务发现,不过,这种情况很少出现,因为附加到内容的策略包含首选的 RMS 服务器或服务。Service discovery might also happen when the RMS client consumes protected content, but this type of discovery is less likely to happen because the policy attached to the content contains the preferred RMS server or service. 仅当该策略的执行不成功时,客户端才会运行服务发现。Only if those sources are unsuccessful does the client then run service discovery.

为了执行服务发现,RMS 客户端将检查以下各项:To perform service discovery, the RMS client checks the following:

  1. 本地计算机上的 Windows 注册表:如果注册表中配置了服务发现设置,则先尝试这些设置。The Windows registry on the local computer: If service discovery settings are configured in the registry, these settings are tried first.

    默认情况下,不会在注册表中配置这些设置,但管理员可以按下一部分所述为 AD RMS 配置它们。By default, these settings are not configured in the registry but an administrator can configure them for AD RMS as documented in a following section. 管理员通常在从 AD RMS 到 Azure 信息保护的迁移过程中为 Azure 权限管理服务配置这些设置。An administrator typically configures these settings for the Azure Rights Management service during the migration process from AD RMS to Azure Information Protection.

  2. Active Directory 域服务:已加入域的计算机将在 Active Directory 中查询服务连接点 (SCP)。Active Directory Domain Services: A domain-joined computer queries Active Directory for a service connection point (SCP).

    如果按下一部分所述注册了一个 SCP,则会将 AD RMS 服务器的 URL 返回给 RMS 客户端使用。If an SCP is registered as documented in the following section, the URL of the AD RMS server is returned to the RMS client to use.

  3. Azure Rights Management 发现服务:RMS 客户端连接到 https://discover.aadrm.com ,此时会提示用户进行身份验证。The Azure Rights Management discovery service: The RMS client connects to https://discover.aadrm.com, which prompts the user to authenticate.

    身份验证成功后,将使用进行身份验证所用的用户名(和域)来标识要使用的 Azure 信息保护租户。When authentication is successful, the user name (and domain) from the authentication is used to identify the Azure Information Protection tenant to use. 会向 RMS 客户端返回该用户帐户要使用的 Azure 信息保护 URL。The Azure Information Protection URL to use for that user account is returned to the RMS client. URL 采用以下格式: https://<YourTenantURL>/_wmcs/licensingThe URL is in the following format: https://<YourTenantURL>/_wmcs/licensing

    例如:5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensingFor example: 5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensing

    <YourTenantURL> 的格式如下: {GUID}. [Region]. aadrm。在运行AipServiceConfiguration cmdlet 时,可以通过标识RightsManagementServiceId值找到此值。<YourTenantURL> has the following format: {GUID}.rms.[Region].aadrm.com.You can find this value by identifying the RightsManagementServiceId value when you run the Get-AipServiceConfiguration cmdlet.

备注

此服务发现流有四种重要的例外情况:There are four important exceptions for this service discovery flow:

  • 移动设备最适合使用云服务,因此它们默认使用 Azure Rights Management 服务的服务发现 (https://discover.aadrm.com) 。Mobile devices are best suited to use a cloud service, so by default they use service discovery for the Azure Rights Management service (https://discover.aadrm.com). 要替代此默认设置以便移动设备使用 AD RMS,而不是 Azure Rights Management 服务,请在 DNS 中指定 SRV 记录,并按 Active Directory Rights Management Services 移动设备扩展中所述安装移动设备扩展。To override this default so that mobile devices use AD RMS rather than the Azure Rights Management service, specify SRV records in DNS and install the mobile device extension as documented in Active Directory Rights Management Services Mobile Device Extension.

  • 通过 Azure 信息保护标签调用权限管理服务时,将不会执行服务发现。When the Rights Management service is invoked by an Azure Information Protection label, service discovery is not performed. 相反,会直接在 Azure 信息保护策略配置的标签设置中指定 URL。Instead, the URL is specified directly in the label setting that is configured in the Azure Information Protection policy.

  • 当用户从 Office 应用程序启动登录时,将使用进行身份验证所用的用户名(和域)来标识要使用的 Azure 信息保护租户。When a user initiates sign in from an Office application, the user name (and domain) from the authentication is used to identify the Azure Information Protection tenant to use. 在这种情况下,不需要注册表设置,也不会检查 SCP。In this case, registry settings are not needed and the SCP is not checked.

  • 为 Office 即点即用桌面应用配置 DNS 重定向后,RMS 客户端可通过拒绝访问以前发现的 AD RMS 群集,查找 Azure 权限管理服务。When you have configured DNS redirection for Office click-to-run desktop apps, the RMS client finds the Azure Rights Management service by being denied access to the AD RMS cluster that it previously found. 此拒绝操作会触发客户端查找 SRV 记录,将客户端重定向到租户的 Azure Rights Management 服务。This deny action triggers the client to look for the SRV record, which redirects the client to the Azure Rights Management service for your tenant. 此 SRV 记录还允许 Exchange Online 解密受 AD RMS 群集保护的电子邮件。This SRV record also lets Exchange Online decrypt emails that have been protected by your AD RMS cluster.

仅限 AD RMS:使用 Active Directory 启用服务器端服务发现AD RMS only: Enabling server-side service discovery by using Active Directory

如果你的帐户拥有足够的权限(AD RMS 服务器的企业管理员和本地管理员),则可以在安装 AD RMS 根群集服务器时自动注册服务连接点 (SCP)。If your account has sufficient privileges (Enterprise Admins and local administrator for the AD RMS server), you can automatically register a service connection point (SCP) when you install the AD RMS root cluster server. 如果 SCP 已存在于林中,则必须先删除现有的 SCP,然后才能注册新的 SCP。If an SCP already exists in the forest, you must first delete the existing SCP before you can register a new one.

你可以在安装 AD RMS 后,使用以下过程注册和删除 SCP。You can register and delete an SCP after AD RMS is installed by using the following procedure. 在开始之前,请确保你的帐户具有所需的权限(AD RMS 服务器的企业管理员和本地管理员)。Before you start, make sure that your account has the required privileges (Enterprise Admins and local administrator for the AD RMS server).

通过在 Active Directory 中注册 SCP 启用 AD RMS 服务发现To enable AD RMS service discovery by registering an SCP in Active Directory

  1. 在 AD RMS 服务器上打开 Active Directory Management Services 控制台:Open the Active Directory Management Services console at the AD RMS server:

    • 对于 Windows Server 2012 R2 或 Windows Server 2012,请在服务器管理器中,依次单击“工具” “Active Directory Rights Management Services” > 。For Windows Server 2012 R2 or Windows Server 2012, in Server Manager, select Tools > Active Directory Rights Management Services.

    • 对于 Windows Server 2008 R2,依次选择“启动” “管理工具” “Active Directory Rights Management Services” > > 。For Windows Server 2008 R2, select Start > Administrative Tools > Active Directory Rights Management Services.

  2. 在 AD RMS 控制台中,右键单击 AD RMS 群集,然后单击“属性”。In the AD RMS console, right-click the AD RMS cluster, and then click Properties.

  3. 单击“SCP”选项卡。Click the SCP tab.

  4. 选中“更改 SCP”复选框。Select the Change SCP check box.

  5. 选择“将 SCP 设置为当前证书群集”选项,然后单击“确定”。Select the Set SCP to current certification cluster option, and then click OK.

使用 Windows 注册表启用客户端服务发现Enabling client-side service discovery by using the Windows registry

使用 SCP 或 SCP 不存在时的替代方法是:配置客户端计算机上的注册表,使 RMS 客户端能够找到其 AD RMS 服务器。As an alternative to using an SCP or where an SCP does not exist, you can configure the registry on the client computer so that the RMS client can locate its AD RMS server.

使用 Windows 注册表启用客户端 AD RMS 服务发现To enable client-side AD RMS service discovery by using the Windows registry

  1. 执行 Regedit.exe 打开 Windows 注册表编辑器:Open the Windows registry editor, Regedit.exe:

    • 在客户端计算机上的“运行”窗口中,键入 regedit,然后按 Enter 以打开注册表编辑器。On the client computer, in the Run window, type regedit, and then press Enter to open the Registry Editor.
  2. 在注册表编辑器中,导航到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPCIn Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC.

    备注

    如果 32 位应用程序在 64 位计算机上运行,则导航至 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPCIf you are running a 32-bit application on a 64-bit computer, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC

  3. 若要创建 ServiceLocation 子项,请右键单击“MSIPC”、指向“新建”、单击“项”,然后键入 ServiceLocationTo create the ServiceLocation subkey, right-click MSIPC, point to New, click Key, and then type ServiceLocation.

  4. 若要创建 EnterpriseCertification 子项,请右键单击“ServiceLocation”、指向“新建”、单击“项”,然后键入 EnterpriseCertificationTo create the EnterpriseCertification subkey, right-click ServiceLocation, point to New, click Key, and then type EnterpriseCertification.

  5. 要设置企业证书 URL,请双击“EnterpriseCertification”子项下的“(默认)”值。To set the enterprise certification URL, double-click the (Default) value, under the EnterpriseCertification subkey. 出现“编辑字符串”对话框时,针对“值数据”,键入 ,然后单击“确定” <http or https>://<AD RMS_cluster_name>/_wmcs/CertificationWhen the Edit String dialog box appears, for Value data, type <http or https>://<AD RMS_cluster_name>/_wmcs/Certification, and then click OK.

  6. 若要创建 EnterprisePublishing 子项,请右键单击“ServiceLocation”、指向“新建”、单击“项”,然后键入 EnterprisePublishingTo create the EnterprisePublishing subkey, right-click ServiceLocation, point to New, click Key, and then type EnterprisePublishing.

  7. 要设置企业发布 URL,请双击“EnterprisePublishing”子项下的“(默认)”。To set the enterprise publishing URL, double-click (Default) under the EnterprisePublishing subkey. 出现“编辑字符串”对话框时,针对“值数据”,键入 ,然后单击“确定” <http or https>://<AD RMS_cluster_name>/_wmcs/LicensingWhen the Edit String dialog box appears, for Value data, type <http or https>://<AD RMS_cluster_name>/_wmcs/Licensing, and then click OK.

  8. 关闭“注册表编辑器”。Close Registry Editor.

如果 RMS 客户端无法通过查询 Active Directory 找到 SCP 并且注册表中未配置 SCP,则对 AD RMS 的服务发现调用会失败。If the RMS client can't find an SCP by querying Active Directory and it's not specified in the registry, service discovery calls for AD RMS fails.

重定向授权服务器流量Redirecting licensing server traffic

在某些情况下,你可能需要在服务发现期间重定向流量,例如当两个组织合并后,一个组织中的旧授权服务器已停用,而客户端需要重定向到新的授权服务器。In some cases, you might need to redirect traffic during service discovery, for example, when two organizations are merged and the old licensing server in one organization is retired and clients need to be redirected to a new licensing server. 或者,你要从 AD RMS 迁移到 Azure RMS。Or, you migrate from AD RMS to Azure RMS. 若要启用授权重定向,请使用以下过程。To enable licensing redirection, use the following procedure.

使用 Windows 注册表启用 AD RMS 授权重定向To enable RMS licensing redirection by using the Windows registry

  1. 打开 Windows 注册表编辑器:Regedit.exe。Open the Windows registry editor, Regedit.exe.

  2. 在注册表编辑器中,导航到以下项之一:In Registry Editor, navigate to one of the following:

    • 对于 x64 平台上的 64 位版本 Office:HKLM\SOFTWARE\Microsoft\MSIPC\ServicelocationFor 64-bit version of Office on x64 platform: HKLM\SOFTWARE\Microsoft\MSIPC\Servicelocation

    • 对于 x64 平台上的 32 位版本 Office:HKLM\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServicelocationFor 32-bit version of Office on x64 platform: HKLM\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Servicelocation

  3. 通过右键单击“Servicelocation”、指向“新建”、单击“项”,然后键入 LicensingRedirection,创建一个 LicensingRedirection 子项。Create a LicensingRedirection subkey, by right-clicking Servicelocation, point to New, click Key, and then type LicensingRedirection.

  4. 若要设置授权重定向,请右键单击“LicensingRedirection”子项、选择“新建”,然后选择“字符串值”。To set the licensing redirection, right-click the LicensingRedirection subkey, select New, and then select String value. 对于“名称”,请指定以前的服务器授权 URL;对于“值”,请指定新的服务器授权 URL。For Name, specify the previous server licensing URL and for Value specify the new server licensing URL.

    例如,若要将授权从位于 Contoso.com 的服务器重定向到位于 Fabrikam.com 的服务器,你可以输入以下值:For example, to redirect licensing from a server at Contoso.com to one at Fabrikam.com, you might enter the following values:

    名称: https://contoso.com/_wmcs/licensingName: https://contoso.com/_wmcs/licensing

    值: https://fabrikam.com/_wmcs/licensingValue: https://fabrikam.com/_wmcs/licensing

    备注

    如果旧的授权服务器同时指定了 Intranet URL 和 Extranet URL,则必须在“LicensingRedirection”项下同时为这两个 URL 设置新的名称和值映射。If the old licensing server has both intranet and extranet URLs specified, a new name and value mapping must be set for both these URLs under the LicensingRedirection key.

  5. 为所有需要重定向的服务器重复上一步。Repeat the previous step for all servers that need to be redirected.

  6. 关闭“注册表编辑器”。Close Registry Editor.