Microsoft KB Archive/841174

= You cannot prevent users from obtaining certificates and licenses when you run RMS in Windows Server 2003 =

Article ID: 841174

Article Last Modified on 11/16/2007

-

APPLIES TO


 * Microsoft Windows Rights Management Services (RMS) for Windows Server 2003

-





SUMMARY
''When you run Microsoft Windows Rights Management Services (RMS) in Microsoft Windows Server 2003 as part of a Microsoft Windows 2000 Server domain, and if you try to exclude a specific Rights Management (RM) account certificate by specifying a user name, you receive an error message. This article describes how to resolve the problem. You have to remove the user account from the RMS configuration database table. You also have to remove the user keys from the RM account certificate database table.''



SYMPTOMS
When you use the Exclusion Policies page on the Microsoft Windows RMS Administration Web site to prevent a specific user from obtaining a Rights Management (RM) account certificate, you receive the following error message:

The user name entered was not found in Active Directory

Note This problem occurs only when RMS is used with Windows 2000 domain controllers. This problem does not occur if your user accounts are stored in a Microsoft Windows Server 2003 Active Directory directory service structure.



RESOLUTION
To resolve this problem, you must remove user information from two database tables, and then reset Microsoft Internet Information Services (IIS) on the RMS server. Specifically, remove the following user information:
 * In the DRMS_GICExclusionList RMS configuration database table, remove the user account that causes the error.
 * In the UD_Users user account database table, remove the user’s keys.

The following information describes how to remove the user information and how to reset IIS on the RMS server.

Remove user information
To remove the user information, follow these steps:  Download Administration Toolkit for Windows Rights Management Services (RMS) 1.0. To download the toolkit, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=B287CEC3-B6CA-4C0B-A9F5-11428092CC3F&displaylang=en

 Run the RMSConfigEditor.exe program that is included in the RMS toolkit. Select the server that is running the RMS SQL database, and then click Go. After the configuration database is automatically selected, click Go again. In the left pane, click DRMS_GICExclusionList. In the right pane, locate the entry that represents the excluded Rights Management (RM) account certificate, and then note the user's public key. Set the UserId column to null, and then click Persist. On the Exclusion Policies page, the RM account certificate is now excluded as a public key string.

Note You can either keep the RM account certificate or remove the RM account certificate from the exclusion list.</li> On the server that hosts your configuration database, open the UD_Users user account database table.</li> Locate the entry in the UD_Users table whose value in the b_PublicKey column matches the user's public key that is excluded in step 5, and then delete the entry.</li></ol>

Reset IIS on the RMS server
To reset IIS on the RMS server, follow these steps: <ol> Click Start, and then click Run.</li> In the Run box, type cmd, and then click OK.</li> At the command prompt, type the following command, and then press ENTER:

iisreset /noforce

Note If you are administering an IIS server remotely, the  placeholder is the NetBIOS name of the computer where you want to restart IIS. If you are not logged on locally, the  placeholder is not required.

Note If an attempt to stop IIS gracefully does not succeed, the /noforce switch does not close IIS forcefully. However, if you are sure that forcing IIS to restart will not cause data loss, you can omit the /noforce switch.</li></ol>

After you make these changes, if the user tries to obtain a user license for a piece of RM-protected content, the RM client automatically tries to connect to the certification server and tries to download a new RM account certificate. By using the RM account certificate, the user can open the content.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

This issue will be fixed in a later release of Microsoft Windows Rights Management Services (RMS).

<div class="moreinformation_section">

Using the exclusion feature after an error
If you try to use the exclusion feature to exclude a user name from the RM account certificate after you receive the error message that is mentioned in the &quot;Symptoms&quot; section, the following exception occurs:

Source Error:

An unhandled exception was generated during the execution of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.]

Microsoft.DigitalRightsManagement.Utilities.ActiveDirectory._ADQuery(String outputProperty, String filter, String domain)

[ADEntrySearchFailedException: The search of Active Directory failed. No entry was found.]

Microsoft.DigitalRightsManagement.Utilities.ActiveDirectory._ADQuery(String outputProperty, String filter, String domain)

Microsoft.DigitalRightsManagement.Utilities.ActiveDirectory.GetEmailAddressFromWindowsSid(String sid)

Microsoft.DigitalRightsManagement.Configuration.AdminExclusion.GetExcludedGics

Microsoft.DigitalRightsManagement.Configuration.UI.ExclusionPolicy.GetExcludedUserGridData

Microsoft.DigitalRightsManagement.Configuration.UI.ExclusionPolicy.Page_Load(Object sender, EventArgs e)

System.Web.UI.Control.OnLoad(EventArgs e) +67

System.Web.UI.Control.LoadRecursive +35

System.Web.UI.Page.ProcessRequestMain +731

Removing the problematic user account from two tables
After you remove the user account that caused the error from the DRMS_GICExclusionList RMS configuration database table, Microsoft recommends that you remove the user from the UD_Users user accounts database table.

When you remove the user from the UD_Users user accounts database table, you permit the user to obtain an RM account certificate that has a new key pair. If you do not include a new user in the UD_Users user accounts database table, the user must obtain an RM account certificate that has a new key pair. The user must obtain an RM account certificate that has a new key pair because the existing keys in the RM account certificate are compromised. When the existing keys are compromised, the user is still a valid consumer of the RM-protected content. However, to be authenticated by the RMS system, the user must have a new RM account certificate that has new keys.

Using access control lists
If you do not want the user to obtain any RM account certificates or any licenses, you must use access control lists to deny the user access to the certification and licensing access points on the RMS server. <ul> To prevent a user from obtaining an RM account certificate, deny the user access to the following:

http:// /_wmcs/Certification/Certification.asmx

</li> To prevent a user from obtaining a user license, deny the user access to the following:

http:// /_wmcs/Licensing/License.asmx

</li> To prevent a user from obtaining a publishing license, deny the user access to the following:

http:// /_wmcs/Licensing/Publish.asmx

</li></ul>

Note The placeholder  is the name of the RMS server in your organization.

<div class="references_section">