Upload
others
View
5
Download
1
Embed Size (px)
Citation preview
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 1 of 28
Information Rights Management
Client Diagnostics Handbook
(Legacy Platform Release)
Applies to: Office 365 Dedicated – Legacy Platform Releases
Topic Last Modified: 2015-07-07
The Information Rights Management (IRM) feature provided in Office 365 Dedicated and ITAR-support
plans utilizes Active Directory Rights Management Services (AD RMS) to protect content (such as an
email message or document) and to manage specific use restrictions for the content. The principal
components of an AD RMS environment include an AD RMS server infrastructure within a customer
environment and the Office 365 cloud environment, as well as IRM-supported applications on client
systems and devices.
The IRM Client Diagnostics Handbook provides general guidance to customers regarding self-service
support techniques for typical AD RMS client issues, and describes how the Office 365 Rights
Management diagnostics package may be able to provide additional diagnostic information and
recommended steps to resolve client issues. The Office 365 Rights Management diagnostics package
includes a Microsoft script that can be used to diagnose and repair AD RMS issues on a client PC. The
script is also used to collect information about the machine that’s useful for your internal service desk
and for support escalations.
The handbook is a companion to the IRM Feature Guide (Legacy Platform Release) available via the IRM
landing page in the Customer Extranet site. The feature guide includes a complete description of IRM
support responsibilities for an Office 365 customer and Microsoft.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 2 of 28
Important:
For the Office 365 dedicated and ITAR-support offerings, the Office 365 support team will only
address resolving AD RMS infrastructure issues within the Microsoft managed Office 365
environment. The customer is responsible for the support of the AD RMS components within
their environment including all client systems and devices. If your organization has a separate
support agreement with Microsoft for on-premises software products, assistance with resolving
AD RMS server and client issues may be available through this alternative Microsoft support
channel.
Important:
The Office 365 support team provides the Office 365 Rights Management diagnostics package
to Office 365 customers for use without warranty, expressed or implied. The tool is used to
diagnose client issues within an AD RMS environment managed entirely by a customer. The
diagnostics package contains a batch file (.bat) script O365RMdiag.bat which invokes binary
executable files (.exe) to establish, repair, or remove an AD RMS configuration on a client PC
system. Additional information describing each function of the tool in the sections that follow.
Downloading the Off ice 365 Rights Management
Diagnostics Package You use the O365RMdiag.bat script to diagnose and repair AD RMS issues on a client PC and to collect
information about the machine that’s useful for your internal helpdesk and for support escalations.
1. Download the Office 365 Rights Management diagnostics package (O365RMdiag.zip) from the
Customer Extranet site. (See your Microsoft Service Delivery Manager for information about how to
access the site.)
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 3 of 28
2. Extract O365RMdiag.zip to the directory C:\temp\rms. The screen shot shows the included files and
folders.
Running the O365RMdiag Batch File On the client machine that is having AD RMS issues, you run from the command prompt the three
phases of the diagnostic script: setup, repair, and cleanup.
1. On the client machine, open an Administrator command prompt.
2. Run O365RMdiag.bat setup as shown in the following screen shot.
When you run the diagnostic tool using the Setup option, Setup performs the following tasks:
Any instances of dbgview.exe currently running are terminated
Runs IRMCheck.exe and saves the output as CurrentDRMStateIrmCheckOutput.htm
Runs dbgview.exe and saves the output as ReproWithCurrentDRMState.log
Enables the Trace registry key for IRM
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 4 of 28
The following is an example output from a Windows 7 client.
As directed in the command output, now try to reproduce the AD RMS issue by attempting
to open the protected content on the machine. After completed, continue to the next step.
3. Run O365RMdiag repair from the Administrator command prompt.
When you run the diagnostic tool using the Repair option, the tool performs the following tasks:
Kills any running instances of dbgview.exe
Makes a backup of the DRM directory and saves it as DRM.old
Renames the DRM directory to a random directory name so that it forces the bootstrap
process to start over.
Deletes all EUL files from the DRM backup directory
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 5 of 28
Runs dbgview.exe and saves the output as ReproWithCleanDRMState.log
Sets multiple registry values
The following is an example output from a Windows 7 client.
As directed in the command output, re-attempt to open protected content to collect debug
information. This allows the tool to collect any error messages.
4. Finally, run O365RMdiag cleanup from the Administrator command prompt to terminate debug
process and to capture revised IRM configuration.
When you run the diagnostic tool using the Cleanup option, the tool performs the following tasks:
Removes any running instances of dbgview.exe
Runs IRMCheck.exe and saves the output under the filename
CleanDRMStateIrmCheckOutput.htm
Makes a backup of the DRM directory and saves it as DRM.New.
Deletes all EUL files from the DRM backup directory
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 6 of 28
The following is an example output from a Windows 7 client.
5. You can review the exported data in C:\temp\rms\RmLog, or you can include it in a zip file and send
it your escalation support team if requested.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 7 of 28
Working with Exported Data The following procedures assume that Office 365 Rights Management diagnostics have run on the
client machine.
Identify the Licensing Cluster Used to Protect Content The following procedure enables you to know what licensing cluster was used to protect the content. It
uses the DBGView.exe tool to view logged debug data created while using O365RMdiag. Depending on
the file type, there may be other ways to view this information, but this procedure is the most consistent
process across all file types that support AD RMS.
.
1. From the directory where the O365RMdiag files were saved, open \tools\Dbgview.exe.
2. From within the DebugView console, click File, then Open.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 8 of 28
3. In the Open DebugView Log File dialog, browse to the O365RMdiag directory. Navigate to and
open \RmLog\ReproWithCleanDRMState.log and click Open.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 9 of 28
4. Once the log file loads, click Edit, then Find.
5. In the Find dialog box, search for _wmcs/licensing and click Find Next:
This last step will provide the URL for the licensing server. Continue to search the log to make sure that
any references to the licensing server all point to the same path. If there are multiple paths, then it is
possible that multiple IRM protected files were accessed during the debug logging task when using
O365RMdiag.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 10 of 28
Reading the CleanDRMStateIrmCheckOutput.htm File CleanDRMStateIrmCheckOutput.htm contains the report data generated by O365rmdiag.bat. This
report can be useful in troubleshooting issues related to client configuration, registry settings, and
certificate validity.
The following example is from a client computer that is using the customer on-premises AD RMS cluster
for Certification and is using overrides to use the Office 365 AD RMS cluster for Licensing.
IRM Configuration Test
Here is an example of the configuration test report data generated by O365rmdiag.bat.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 11 of 28
Environment
Here is an example of the configuration test report data generated by O365rmdiag.bat.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 12 of 28
The following table provides descriptions of the environment checks.
Check Type Description
1. Office System You should be using at least Office 2003 SP1. Office 2003 Standard Edition can
read content, but cannot publish. All newer versions of Office support AD RMS.
2. Operating
system
If you get an error here, it usually will say that there is no signature for one of the
system files. This usually indicates that you have a corrupted signature catalog
(Catroot2). If you see an error here, you can run sigverif to verify that there is a
problem.Essentially AD RMS is a security application, which means that in order for
it to protect itself it has a manifest of all of the files that it should be working and
playing with, as well as, one it should specifically NOT be using. If one of the files
that it is supposed to be working with is not signed, then we cannot trust that file,
and AD RMS will refuse to run until it gets fixed.
3. RM client This will tell you the version of the client. If you have version RMS v1 with
Windows XP or Windows 2003, upgrade to RMS SP2.
4. Kernel Debugger Informational only.
5. Registry
overrides
For advanced setups it may be required to override the default AD RMS behavior
with registry overrides. For instance, if you have several forests that have two way
trusts, you would need to put a certification server in each forest, however you
could keep a licensing server in one forest. You would need to tell each client
where the licensing server is, which can be done through a registry key. If there is
a warning here, but you know the reason why you are overriding registry settings,
then this is not a problem. For Office 365, you could point all of your clients to
use the Office 365 AD RMS Licensing URL so that all licensing is consolidated into
a single location. This will eliminate complexities with support.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 13 of 28
Check Type Description
6. Service URLs This tells you if your service connection point for AD RMS is in the Local Intranet
Zone. It is important that your AD RMS cluster FQDN (i.e. rms.contoso.com), that
you created when you provisioned AD RMS is listed in your Local Intranet Zone so
that credentials can be passed for validation. Also, the Office 365 AD RMS cluster
FQDN should be listed as well. Otherwise, it will think that this is an Internet site,
and will either prompt for credentials or fail. If you are prompted for credentials,
and you enter your credentials, you will be issued a TRAC (Temporary Rights
Account Certificate) that is good for 15 minutes. More information about where
to set the RAC and TRAC validity periods can be found here:
http://technet.microsoft.com/en-us/library/cc732630.aspx.
7. IRM manifests This is extremely rare. If you have something that is unsigned with an Office
application, you may want to scan your machine for malware. Everything should
be signed.
8. Machine
activation
This is a rare problem, but it does happen if your system DLLs are not signed. The
machine activation happens on the machine locally, so the AD RMS services aren't
really even involved.
9. User certificates If this one is failing, then the problem could be anywhere from no access to the
AD RMS server, to a problem with the SQL connection to AD RMS, to anti-virus
software being overly aggressive. The best thing to do is make sure that you can
connect to the important 4 URLs from the client’s web browser, without any errors,
pop-ups, certificate issues, and that they are listed at the bottom right of the
browser as being in the Local Intranet zone. The URLs
are:http://rms.cluster.url/_wmcs/Certification/Activation.asmxhttp://rms.cluster.url/
_wmcs/Certification/Certification.asmxhttp://rms.cluster.url/_wmcs/Licensing/Licen
se.asmxhttp://rms.cluster.url/_wmcs/Licensing/Publish.asmxIf you are having
problems getting to them, then that will need to be fixed depending on the pop-
up, or error received.
10. System clock This essentially checks the clock to see if it has been rolled back. You need to
make sure that your clock is in synch for many reasons, like Kerberos, and the
amount of time that certificates are issued for.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 14 of 28
Check Type Description
11. Pending
Reboot
Reboot the computer if this lists a pending reboot.
12. Product SKU Informational only.
13. Network
Connectivity
If there is no network connectivity, you can't authenticate against the AD RMS
server.
14. Domain
Membership
This will tell us if you are connected to a domain. If you aren't then the automatic
service discovery calls that are made to find the service connection point in AD DS
will fail. In this case you will need to override AD RMS with some registry settings.
15. Temporary
Directory
Verify this directory exists.
16. Incompatible
applications
Make sure that is using AD RMS SP1 or later. Earlier versions of AD RMS didn't
support features like Virtual Machines. If you have incompatible AV software on
your system that puts itself into APPInit mode (essentially hooking the calls to AD
RMS), AD RMS may fail because it thinks that there is a malicious program trying
to steal information from the computer’s lockbox.
17. User Email in
AD
A requirement to use AD RMS is that the user account must have the mail
attribute populated. Even if they don't have a mailbox, they still need this
attribute populated, as this is what is used to check that the user matches the
person listed in the publishing license.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 15 of 28
Certif icates
Here is an example of the certificate report data generated by O365rmdiag.bat.
The following table provides descriptions of the certificate types.
Certificate Type Description
GIC (Group Identity Certificate This is more commonly known as a Rights Account Certificate (RAC).
This is the user certificate that is used for authentication. You can use
the IRMCheck GIC information to view when the certificate was issued
and when it expires. You can also usually determine if it is a
permanent or temporary RAC based on these dates. You should
check to see if the server that issued the RAC matches the Enterprise
Service Discovery Results information. If it does not, it could mean
that AD RMS was re-installed, or someone modified the SCP.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 16 of 28
Certificate Type Description
CLC (Client Licensor Certificate) This is the publishing certificate which is required to do offline
publishing (i.e the ability to create AD RMS content...not just read it).
Like the GIC, you should check to see if the server that issued the CLC
matches the Enterprise Service Discovery Results information. If it
does not, this could cause some problems with Office. In addition,
below the “Issued By” URL, the CLC also lists the licensing URLs that
will be published in every document the user creates. If there are 2
URLs, it means that you have set the Extranet URL on the AD RMS
server (the URL users with access on the Internet will connect to). If
AD RMS is failing in an Extranet scenario, you should check the CLC
for the Extranet URL. If the CLC does not have the extranet URL, then
the content the users publish will not have the extranet URL in the
Publishing License (built into the file usually) and the Extranet user
won't be able to connect to your internet facing AD RMS server.
Machine (Machine Certificate) This is the public key certificate to the private key for the machine.
The machine key used to be global to the entire machine /w V1
(another major reason to upgrade), but in SP1, each user has their
own virtual machine key. When the AD RMS server issues certificates,
they are tied to a particular machine key. The machine certificate
information in IRMCheck is usually not useful except to identify when
a client is configured to the pre-production (development) hierarchy.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 17 of 28
Registry Information
Here is an example of the registry information report data generated by O365rmdiag.bat.
This section of the report is for Microsoft internal support only.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 18 of 28
Enterprise Service Discovery
Here is an example of the enterprise service discovery report data generated by O365rmdiag.bat.
This section of the report is for Microsoft internal support only.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 19 of 28
Gathering Data Without Using
Diagnostics Script The following diagnostics process can be used instead of using the O365RMDiag script. The process still
requires that the O365RMDiag files are available on the client workstation.
Note:
The DRM directory will need to be modified in these examples for Windows XP clients. The path
for Windows XP is %appdata%\Microsoft\DRM.
Setup Option 1. Save the O365RMDiag files to a directory. As an example, the following commands will assume this
is c:\temp\.
2. Terminate any running instances of dbgview.exe
c:\temp\tools\kill.exe dbgview.exe
3. Run IRMCheck.exe and save the output as CurrentDRMStateIrmCheckOutput.htm.
c:\temp\tools\irmcheck.exe quiet extended -o c:\temp\RmLog\CurrentDRMStateIrmCheckOutput.htm
4. Enable the Trace registry key for IRM.
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSDRM /v Trace /t REG_DWORD /d 00000001 /f REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM /v Trace /t REG_DWORD /d 00000001 /f
5. Run dbgview.exe and save the output as ReproWithCurrentDRMState.log.
start c:\temp\tools\dbgview.exe /t /l c:\temp\RmLog\ReproWithCurrentDRMState.log
6. Reproduce the problem. Ensure that the same error occurs so that DebugView will capture it.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 20 of 28
Repair Option 1. Terminate any running instances of dbgview.exe
c:\temp\tools\kill.exe dbgview.exe
2. Make a backup of the DRM directory and save it as DRM.Old.
md c:\temp\RmLog\DRM.Old copy /y %localappdata%\Microsoft\DRM c:\temp\RmLog\DRM.Old
3. Rename the DRM directory to a random directory name.
ren %localappdata%\Microsoft\DRM\DRM_Backup_%RANDOM%
4. Delete all EUL files from the DRM backup directory.
del /f /q c:\temp\RmLog\DRM.Old\EUL*
5. Add the AD RMS Certification and Licensing URLs to IE Trusted sites.
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rms.001.d.o365.com" /v https /t REG_DWORD /d 1 /f
6. Run DebugView and save the output as ReproWithCleanDRMState.log.
start c:\temp\tools\dbgview.exe /t /l c:\temp\RmLog\ReproWithCleanDRMState.log
7. Reproduce the problem. Ensure that the same error occurs so that DebugView will capture it.
Cleanup Option 1. Terminate any running instances of dbgview.exe
c:\temp\tools\kill.exe dbgview.exe
2. Run IRMCheck.exe and save the output as CleanDRMStateIrmCheckOutput.htm.
c:\temp\tools\irmcheck.exe quiet extended -o c:\temp\RmLog\CleanDRMStateIrmCheckOutput.htm
3. Make a backup of the DRM directory and save it as DRM.New.
md c:\temp\RmLog\DRM.New copy /y %localappdata%\Microsoft\DRM c:\temp\RmLog\DRM.New
4. Delete all EUL files from the DRM backup directory.
del /f /q c:\temp\RmLog\DRM.New\EUL*
5. Zip the c:\temp\RmLog directory and send it to the technical escalation team.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 21 of 28
Troubleshooting IRM Error Messages The reference tables in the Working with Exported Data section provide you with a starting place for
troubleshooting IRM client error messages, but they may not resolve the issue that you are
experiencing.
The following information about error messages can provide additional help in troubleshooting client
errors. The information is based on the experience the Microsoft AD RMS team has gained with the
internal AD RMS deployment at Microsoft and various external deployments that the AD RMS team has
assisted with.
Error Message: This service is temporarily unavailable This service is temporarily unavailable.
Microsoft Internet Explorer may be set to work offline. In Internet Explorer, verify that work offline on
the File menu is not selected, and then try again.
Probable Cause
The AD RMS server failed to respond to a licensing request.
Troubleshooting
1. Verify that the client computer has network connectivity
2. Run Office 365 Rights Management diagnostics.
a) Open cleandrmstateIRMcheckoutput.htm
b) Under heading “The Enterprise Service Discovery results”, search for RM Certification Service
c) Copy the URL and paste it into the browser’s address bar, and then append
/certification.asmx.
d) For example: https://rmscert.contoso.com/_wmcs/certification/certification.asmx
e) Within .htm file, search for RM Client Enrollment Service, copy URL, paste URL into browser
address bar, and append /license.asmx.
f) For example: https://rms.999.d.office365.com/_wmcs/licensing/license.asmx
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 22 of 28
g) Confirm licensing server URL (i.e. rms.999.d.office365.com) is listed in your Local Intranet
Zone so that credentials can be passed for validation. Network connectivity to the licensing
server is required.
h) For the above URL checks, there are other basic troubleshooting steps that may be needed
such as ensuring that the client can route to the destination servers; there are no firewalls
blocking connectivity; and the destination server has a valid Certificate and the CRL is
reachable by the client.
3. Escalate to Microsoft support to determine if this is an on-premises issue or an Office 365 service
issue.
Error: A problem occurred while contacting the
restricted permission service A problem occurred while contacting the restricted permission service. Please try again later or
contact your administrator for more details.
Probable Cause
The AD RMS server returned an error. This issue can occur when client activation is attempted through
the RMS server’s activation proxy, but the AD RMS server does not have an Internet connection. It has
also been encountered when the client computer submits an expired RAC to the server.
Troubleshooting
1. Run Office 365 Rights Management diagnostics
2. Review output and follow the support escalation process if needed.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 23 of 28
Error: Cannot use this feature without credentials Cannot use this feature without credentials.
Probable Cause
The AD RMS client was not able to acquire a RAC for the user. This occurs when the user does not have
a RAC and the Information Rights Management (IRM) feature is configured to use silent certification.
Silent certification does not query the user for permission to request a RAC, but does so behind the
scenes using the credentials of the logged in user.
This issue has been seen when the user’s account in Active Directory does not have an email attribute
value or when the user abruptly cancels the request during the silent certification process.
Troubleshooting
1. Check the Active Directory Domain Services (AD DS) account of the client for an email address,
system lockouts, and other settings that may prevent the user’s credential from being validated.
2. For Office 365 Exchange Online users, the following mail attributes need to match between Office
365 AD DS and client AD DS: mail and proxyAddresses
3. Client must be able to log into O365 environment successfully.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 24 of 28
Error: Cannot verify user information at this time Cannot verify user information at this time. Contact your administrator if this problem continues.
Probable Cause
The AD RMS server returned an error during user certification.
Troubleshooting
1. Run Office 365 Rights Management diagnostics.
2. If you are unable to open content, open RMlog\CleanDRMStateIRMcheckOutput.htmand look for
any errors or warnings.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 25 of 28
Error: You do not have permission to use this service You do not have permission to use this service.
Probable Cause
The certification request from the client was denied by the AD RMS server.
Troubleshooting
1. Run Office 365 Rights Management diagnostics.
2. If you are unable to open content, review CleanDRMStateIrmCheckOutput.htm on the client
computer look for any errors or warnings.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 26 of 28
Error: Your permission has expired You do not have permission to open this document because your permission has expired.
Probable Cause
The rights assigned to your account by the document author have expired.
Troubleshooting
Request a copy of the document with updated permissions that allow you to open the document.
Error: You do not have credentials that allow you to
open this f ile You do not have credentials that allow you to open this file. You can request updated permission
from [email protected]. Do you want to request updated permission?
Probable Cause
None of the RACs in your user profile match the accounts specified in the Publishing License for the
content.
This can occur if the account membership for a user has changed but the RAC has not been
updated.
More commonly, the user was not included in the permissions list by the author of the document.
Troubleshooting
1. If user was recently added to an AD DS distribution group, allow two hours to pass to allow the AD
DS cache of AD RMS to refresh and request that the user try to re-access the content.
2. Request an updated version of the document from the author. The author must add the user to the
list of people with rights to the content and republish the document.
3. Run Office 365 Rights Management diagnostics.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 27 of 28
Error: An unexpected error has occurred while trying
to restrict permission An unexpected error has occurred while trying to restrict permission to your document. Contact
your administrator for assistance.
Probable Cause
The client licensor certificate may be missing, corrupt, or otherwise invalidated.
Troubleshooting
1. Run Office 365 Rights Management diagnostics.
2. Try to create AD RMS-protected content. This will cause the client to repeat the request for a new
client licensor certificate for the user.
Information Rights Management Client Diagnostics Handbook
Legacy Platform Release
Office 365 Dedicated & ITAR-Support Plans
© 2015 Microsoft Corporation. All rights reserved.
Page 28 of 28
Outlook Specif ic Error Messages Error: Outlook was not able to create a message with restricted permission.
Probable Cause
The client licensor certificate might be missing, corrupt, or otherwise invalid.
Next Steps
1. Confirm that the client can reach the Licensing/Licensing.asmx web service for the AD RMS server.
2. Run Office 365 Rights Management diagnostics.
3. Review CleanDRMStateIrmCheckOutput.htm on the client computer to confirm the validity of the
client licensor certificate.
Error: Your Information Rights Management Configuration for the user account is invalid.
Your Information Rights Management Configuration for the user account [email protected] is
invalid. The service must verify your credentials again before you continue. If prompted, enter the
username and password for [email protected].
Probable Cause
The rights account certificate (RAC) or client licensor certificate is invalid. This can occur when the
computer has been reactivated but the previous RAC was not deleted or replaced.
Next Steps
Run Office 365 Rights Management diagnostics.