Rights Management Service and Exchange 2003 (Part 2)

If you missing the other parts of this article series please read:

If you follow the first part of the document, at this point we are ready to test the RMS functionality from a client machine. To explain the RMS functionality, I am using two users in this scenario User1 (Princy) and User2 (Margot). Our goal is to protect the email content using the built-in Do Not Forward template. Using the built-in Do Not Forward template, the recipient cannot edit, forward, print or copy the email and the reply does not include the original email message. 

How to Protect E-mail Messages

  1. Logon to User1’s (Princy) computer and open Outlook 2003.
  2. Create a new email message by selecting File->New->New Message
  3. In the To field, type the receipt(s) address or select recipient(s) from the address book. In this scenario, I am sending this mail to user #2, Margot. 
  4. To protect the document using the built-in Do not forward template, go to File->Permission menu and select the Do Not Forward option.

  1. You will see a message showing that it is contacting the RMS server and verifying your logon information. 

Note:
This process installs a machine certificate, a rights account certificate and client licensor certificate for the user. By default, it is stored in C:\Documents and Settings\<User Name>\Local Settings\Application Data\Microsoft\DRM

  1. Once it completes the verification process, a banner will appears at the top of the e-mail message indicating this email message is protected with Do Not Forward template. 

Note:
The Do Not Forward template is a Built-in template and it is automatically available when you install the RMS server/client software. Using the Do Not Forward template, the recipient cannot edit, forward, print or copy the email and the reply does not include the original email message. 

  1. Click the Send button to send the email message to the recipient.

 Verify the Protected E-mail Messages

  1. Logon to Margot’s computer and open Outlook 2003.
  2. As you can see in the following screen shot, Margot received a new email from Princy. The new message has an attachment symbol indicating it is a RMS protected e-mail

  1. Double click or go to File -> Open-> Selected Items to open the new email message. The following screen will pop-up, indicating that it is a RMS protected document and it will contact the RMS server for license. Click OK.

  1. You will also see the following message about Outlook contacting the RMS Server.

  1. As you can see in the email, this email is protected with the Do Not Forward template and the Forward, Print and Copy buttons are grayed out. 

The above scenario shows how easy it is to protect your emails, as well as keep information internal by using Rights Management Service (RMS). It is also possible to create custom temples that fit into your organizational needs. Custom temples information will be explained in part 3. 

When you use a template or open a RMS protected document, RMS installs a machine certificate, a rights account certificate and client licensor certificate for the user. By default, it is stored in C:\Documents and Settings\<User Name>\Local Settings\Application Data\Microsoft\DRM. In the next section, I will explain how to verify or identify those certificates.

How to Verify the Client Certificate

  1. Logon to Princy’s computer and open Windows Explorer
  2. Enable the Show hidden files and folders option (Tools -> Folder Options -> View,  select the View hidden files and folders option. Click OK)
  3. Open the C:\Documents and Settings\Princy.Paul\Local Settings\Application Data\Microsoft\DRM folder.
  4. Make sure the following files exist:

A.      CLC-XXX
Client Licensor Certificate (CLC): Certifies clients to encrypt with RMS Server Public Key

B.      CERT-machine.drm
Machine Certificate: Unique per user on a machine; used to protect the RAC

C.      GIC-XXX
Rights Account Certificate (RAC): User’s RSA key pair issued and signed by server

D.      EUL-XXX
End User License or Use License: Signed proof of a Principal’s Rights plus the enabling bits for content usage by Grantee

Note: 
A user account has one Rights Account Certificate (RAC) and one Client Licensor Certificate (CLC) file, but multiple End User License (EUL) files for each piece of content that is accessed.

RMS Policy Templates

RMS policy templates are a pre-defined set of rules that can be applied any RMS protected content. It can be used to describe a standard set of users, rights, rules and conditions. When a user applies the RMS template to the RMS content, the pre-defined set of rules and rights defined in the RMS template will become part of the publishing license. RMS stores right policy template in the Configuration database. In addition, it will keep a Policy Template file (XML) on the shared template folder location specified in the Template location on the RMS server. To verify this, you can open the shared folder and view all the XML files or you can open the DRMS_RightsTemplate table in the Configuration database. (I will explain these details in Part 3 of this document).

How to Specify Policy Template Location

  1. Open the RMS Administration console (Start->All Programs->Windows RMS->RMS Administration)
  2. Click Administer RMS on this Website option.
  3. In the Administration Links section, click Rights policy temples option. 
  4. In the Template location section, specify the shared folder name in the Location of temples: box. 

  1. Click Save.

Note:
Make sure the policy template location (C:\RMS Templates) is available to client users. It is a best practice to use a shared folder for storing all the RMS template files. Also, templates should not be created in Program Files or ISSRoot Folders. 

Policy Template Location on Client Machines

RMS Template location on the client machine is determined by the RMS-enabled application. For Office 2003, it is stored as a user setting in the registry in the following location:

HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\DRM\AdminTemplatePath

This can be accomplished by modifying the registry on the client machines. 

  1. Logon to the client machine
  2. Click Start -> Run -> and then type Regedit in the Open box. Click OK.
  3. Click on the HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\DRM registry key.
  4. Go to the Edit menu, select New -> String Value option.

  1. Add the following value:

Name:  AdminTemplatePath
Value Data: C:\RMS Templates

If the AdminTemplatePath points to a local folder on the client machine, the template files (XML) must be copied to the local machine from the RMS template shared folder. This procedure is explained later in this article. If the AdminTemplatePath points to a network shared folder, it will be unavailable when the user is offline, unless Offline Folders are used.

I hope this part of the article provides a better understanding of the RMS template, as well as details of its use and location. In the Part 3, I will explain the details of creating and distributing custom RMS templates. If you have any questions regarding this article, feel free to email me at [email protected] or post a comment on the newsgroup.

If you missing the other parts of this article series please read:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top