How do I authenticate to Active Directory Rights Management Services using a bearer token from Active Directory Federation Services The Next CEO of Stack OverflowHow do I find which documents are protected by Active Directory Rights Management Services?How to add printer to Active Directory in Windows Server 2016?How to configure active directory activation from powershell/commandline?Beginner ADFS SAML setup with PingoneActive Directory migration from Windows 2003 to Windows 2016Can I add custom attributes to Active Directory schema using PowerShell only?How to stop syncing Windows Server with Azure Active DirectoryError installing Active Directory Certificate ServicesViewing Permissions in Mac OS on a Windows Server 2016 using Active DirectoryHow to disable unauthenticated binds in Active Directory(2016)
How to transpose the 1st and -1th levels of arbitrarily nested array?
Do I need to enable Dev Hub in my PROD Org?
If a black hole is created from light, can this black hole then move at speed of light?
What flight has the highest ratio of time difference to flight time?
What does "Its cash flow is deeply negative" mean?
MessageLevel in QGIS3
Are there any limitations on attacking while grappling?
How to solve a differential equation with a term to a power?
I believe this to be a fraud - hired, then asked to cash check and send cash as Bitcoin
Is it professional to write unrelated content in an almost-empty email?
How to count occurrences of text in a file?
What exact does MIB represent in SNMP? How is it different from OID?
Non-deterministic sum of floats
What is the result of assigning to std::vector<T>::begin()?
"and that skill is always a class skill for you" - does "always" have any meaning in Pathfinder?
Indicator light circuit
Does it take more energy to get to Venus or to Mars?
Limits on contract work without pre-agreed price/contract (UK)
Help understanding this unsettling image of Titan, Epimetheus, and Saturn's rings?
Skipping indices in a product
Is HostGator storing my password in plaintext?
If the heap is initialized for security, then why is the stack uninitialized?
Can I equip Skullclamp on a creature I am sacrificing?
Why do professional authors make "consistency" mistakes? And how to avoid them?
How do I authenticate to Active Directory Rights Management Services using a bearer token from Active Directory Federation Services
The Next CEO of Stack OverflowHow do I find which documents are protected by Active Directory Rights Management Services?How to add printer to Active Directory in Windows Server 2016?How to configure active directory activation from powershell/commandline?Beginner ADFS SAML setup with PingoneActive Directory migration from Windows 2003 to Windows 2016Can I add custom attributes to Active Directory schema using PowerShell only?How to stop syncing Windows Server with Azure Active DirectoryError installing Active Directory Certificate ServicesViewing Permissions in Mac OS on a Windows Server 2016 using Active DirectoryHow to disable unauthenticated binds in Active Directory(2016)
My goal is to use the Microsoft Rights Management SDK 4.2 on a Linux system to access and manage protected documents.
I am unable to authenticate to the RMS server via a Federation Server (this is the setup that the SDK requires).
I have the following setup:
- A domain controller, dc1.mydomain
- A rights management server, rms1.mydomain, with Active Directory Rights Management Services, SQL Server, and the Mobile Device Extension for AD RMS
- An authentication server, fs1.mydomain, running Federation Services
All hosts in the cluster run Windows Server 2016 and have certificates signed by a Registration Authority. The root CA and intermediate RA certificates are installed on the hosts. The token signing certificate and token decrypting certificates for the Federation Service are also signed by the RA.
Microsoft Office applications (which use an earlier SOAP protocol) are able to talk to the RMS service. The RIghts Management SDK library uses a more lightweight JSON protocol provided by the Mobile Device Extension.
I have configured an SRV DNS record for _rmsdisco._http._tcp.mydomain.
The Mobile Device Extension has been configured to use https://fs1.mydomain for authentication.
On fs1.mydomain, I have configured a "Server application accessing a web API". The server application has client ID <ID> and client secret <SECRET>. The web API has the relying party identifier api.rms.rest.com.
I am unable to get the RMS SDK client to authenticate to the RMS server with the client application credentials. This is the failing oauth2 exchange:
- Attempt to fetch
https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain - This returns a 401 response with the expected WWW-Authenticate header:
WWW-Authenticate: Bearer realm="api.rms.rest.com", authorization="https://fs1.mydomain/adfs/oauth2/authorize" - POST the following body to
https://fs1.mydomain/adfs/oauth2/token:grant_type=client_credentials&client_id=<ID>&client_secret=<SECRET>&resource=api.rms.rest.com - Obtain a signed authentication token with a decoded body looking something like this:
"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553792250,"exp":1553795850,"apptype":"Confidential","appid":"<ID>","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password","auth_time":"2019-03-28T16:57:30.037Z","ver":"1.0" - Attempt to fetch the service discovery URI again, this time adding the following header:
Authorization: Bearer <TOKEN> - Server returns a 401 response instead of 200.
I'm assuming that there is an error in the server configuration but don't know what. I'm not seeing anything logged in the RMS server but I'd guess that it's failing to verify the oauth token. The token signing certificate is present in the FederationData.xml supplied by the Federation Server. I have also installed it on the RMS server under "Certificates" (the certificate authority certificates are also present).
At this point, I'm stuck, hence reaching out for help.
windows-server-2016 rights-management
asked yesterday
Chris WilliamsChris Williams
162
add a comment |
My goal is to use the Microsoft Rights Management SDK 4.2 on a Linux system to access and manage protected documents.
I am unable to authenticate to the RMS server via a Federation Server (this is the setup that the SDK requires).
I have the following setup:
- A domain controller, dc1.mydomain
- A rights management server, rms1.mydomain, with Active Directory Rights Management Services, SQL Server, and the Mobile Device Extension for AD RMS
- An authentication server, fs1.mydomain, running Federation Services
All hosts in the cluster run Windows Server 2016 and have certificates signed by a Registration Authority. The root CA and intermediate RA certificates are installed on the hosts. The token signing certificate and token decrypting certificates for the Federation Service are also signed by the RA.
Microsoft Office applications (which use an earlier SOAP protocol) are able to talk to the RMS service. The RIghts Management SDK library uses a more lightweight JSON protocol provided by the Mobile Device Extension.
I have configured an SRV DNS record for _rmsdisco._http._tcp.mydomain.
The Mobile Device Extension has been configured to use https://fs1.mydomain for authentication.
On fs1.mydomain, I have configured a "Server application accessing a web API". The server application has client ID <ID> and client secret <SECRET>. The web API has the relying party identifier api.rms.rest.com.
I am unable to get the RMS SDK client to authenticate to the RMS server with the client application credentials. This is the failing oauth2 exchange:
- Attempt to fetch
https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain - This returns a 401 response with the expected WWW-Authenticate header:
WWW-Authenticate: Bearer realm="api.rms.rest.com", authorization="https://fs1.mydomain/adfs/oauth2/authorize" - POST the following body to
https://fs1.mydomain/adfs/oauth2/token:grant_type=client_credentials&client_id=<ID>&client_secret=<SECRET>&resource=api.rms.rest.com - Obtain a signed authentication token with a decoded body looking something like this:
"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553792250,"exp":1553795850,"apptype":"Confidential","appid":"<ID>","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password","auth_time":"2019-03-28T16:57:30.037Z","ver":"1.0" - Attempt to fetch the service discovery URI again, this time adding the following header:
Authorization: Bearer <TOKEN> - Server returns a 401 response instead of 200.
I'm assuming that there is an error in the server configuration but don't know what. I'm not seeing anything logged in the RMS server but I'd guess that it's failing to verify the oauth token. The token signing certificate is present in the FederationData.xml supplied by the Federation Server. I have also installed it on the RMS server under "Certificates" (the certificate authority certificates are also present).
At this point, I'm stuck, hence reaching out for help.
windows-server-2016 rights-management
asked yesterday
Chris WilliamsChris Williams
162
add a comment |
My goal is to use the Microsoft Rights Management SDK 4.2 on a Linux system to access and manage protected documents.
I am unable to authenticate to the RMS server via a Federation Server (this is the setup that the SDK requires).
I have the following setup:
- A domain controller, dc1.mydomain
- A rights management server, rms1.mydomain, with Active Directory Rights Management Services, SQL Server, and the Mobile Device Extension for AD RMS
- An authentication server, fs1.mydomain, running Federation Services
All hosts in the cluster run Windows Server 2016 and have certificates signed by a Registration Authority. The root CA and intermediate RA certificates are installed on the hosts. The token signing certificate and token decrypting certificates for the Federation Service are also signed by the RA.
Microsoft Office applications (which use an earlier SOAP protocol) are able to talk to the RMS service. The RIghts Management SDK library uses a more lightweight JSON protocol provided by the Mobile Device Extension.
I have configured an SRV DNS record for _rmsdisco._http._tcp.mydomain.
The Mobile Device Extension has been configured to use https://fs1.mydomain for authentication.
On fs1.mydomain, I have configured a "Server application accessing a web API". The server application has client ID <ID> and client secret <SECRET>. The web API has the relying party identifier api.rms.rest.com.
I am unable to get the RMS SDK client to authenticate to the RMS server with the client application credentials. This is the failing oauth2 exchange:
- Attempt to fetch
https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain - This returns a 401 response with the expected WWW-Authenticate header:
WWW-Authenticate: Bearer realm="api.rms.rest.com", authorization="https://fs1.mydomain/adfs/oauth2/authorize" - POST the following body to
https://fs1.mydomain/adfs/oauth2/token:grant_type=client_credentials&client_id=<ID>&client_secret=<SECRET>&resource=api.rms.rest.com - Obtain a signed authentication token with a decoded body looking something like this:
"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553792250,"exp":1553795850,"apptype":"Confidential","appid":"<ID>","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password","auth_time":"2019-03-28T16:57:30.037Z","ver":"1.0" - Attempt to fetch the service discovery URI again, this time adding the following header:
Authorization: Bearer <TOKEN> - Server returns a 401 response instead of 200.
I'm assuming that there is an error in the server configuration but don't know what. I'm not seeing anything logged in the RMS server but I'd guess that it's failing to verify the oauth token. The token signing certificate is present in the FederationData.xml supplied by the Federation Server. I have also installed it on the RMS server under "Certificates" (the certificate authority certificates are also present).
At this point, I'm stuck, hence reaching out for help.
windows-server-2016 rights-management
asked yesterday
Chris WilliamsChris Williams
162
My goal is to use the Microsoft Rights Management SDK 4.2 on a Linux system to access and manage protected documents.
I am unable to authenticate to the RMS server via a Federation Server (this is the setup that the SDK requires).
I have the following setup:
- A domain controller, dc1.mydomain
- A rights management server, rms1.mydomain, with Active Directory Rights Management Services, SQL Server, and the Mobile Device Extension for AD RMS
- An authentication server, fs1.mydomain, running Federation Services
All hosts in the cluster run Windows Server 2016 and have certificates signed by a Registration Authority. The root CA and intermediate RA certificates are installed on the hosts. The token signing certificate and token decrypting certificates for the Federation Service are also signed by the RA.
Microsoft Office applications (which use an earlier SOAP protocol) are able to talk to the RMS service. The RIghts Management SDK library uses a more lightweight JSON protocol provided by the Mobile Device Extension.
I have configured an SRV DNS record for _rmsdisco._http._tcp.mydomain.
The Mobile Device Extension has been configured to use https://fs1.mydomain for authentication.
On fs1.mydomain, I have configured a "Server application accessing a web API". The server application has client ID <ID> and client secret <SECRET>. The web API has the relying party identifier api.rms.rest.com.
I am unable to get the RMS SDK client to authenticate to the RMS server with the client application credentials. This is the failing oauth2 exchange:
- Attempt to fetch
https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain - This returns a 401 response with the expected WWW-Authenticate header:
WWW-Authenticate: Bearer realm="api.rms.rest.com", authorization="https://fs1.mydomain/adfs/oauth2/authorize" - POST the following body to
https://fs1.mydomain/adfs/oauth2/token:grant_type=client_credentials&client_id=<ID>&client_secret=<SECRET>&resource=api.rms.rest.com - Obtain a signed authentication token with a decoded body looking something like this:
"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553792250,"exp":1553795850,"apptype":"Confidential","appid":"<ID>","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password","auth_time":"2019-03-28T16:57:30.037Z","ver":"1.0" - Attempt to fetch the service discovery URI again, this time adding the following header:
Authorization: Bearer <TOKEN> - Server returns a 401 response instead of 200.
I'm assuming that there is an error in the server configuration but don't know what. I'm not seeing anything logged in the RMS server but I'd guess that it's failing to verify the oauth token. The token signing certificate is present in the FederationData.xml supplied by the Federation Server. I have also installed it on the RMS server under "Certificates" (the certificate authority certificates are also present).
At this point, I'm stuck, hence reaching out for help.
windows-server-2016 rights-management
windows-server-2016 rights-management
asked yesterday
Chris WilliamsChris Williams
162
asked yesterday
Chris WilliamsChris Williams
162
asked yesterday
Chris WilliamsChris Williams
162
asked yesterday
Chris WilliamsChris Williams
162
asked yesterday
Chris WilliamsChris Williams
162
162
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Apologies for answering my own question. The problem with the bearer token appears not to be failure to verify the signature but a missing claim (email at a guess) in the payload.
Install and configure the AD RMS Mobile Device Extension as documented here.
There is something else you need to do that isn't documented (and which I'd guess is new for Windows Server 2016). After you add an ADFS client in Powershell, for example, the MAC OS X RMS Sharing App:
Add-AdfsClient -Name "RMS Sharing App for macOS" -ClientId "96731E97-2204-4D74-BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for-osx://authorize")
You then need to grant the client ID permission to access the protected resource (even if you configured "Permit Access to All Users"):
Grant-AdfsApplicationPermission -ClientRoleIdentifier "96731E97-2204-4D74-BEA5-75DCA53566C3" -ServerRoleIdentifier "api.rms.rest.com"
Now you can authenticate using the client ID and valid credentials for a domain user. The authentication request body becomes:grant_type=password&client_id=96731e97-2204-4d74-bea5-75dca53566c3&username=user1@mydomain&password=mypassword&resource=api.rms.rest.com
The returned token has a payload something like this:"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553874942,"exp":1553878542,"email":"user1@mydomain","upn":"user1@mydomain","apptype":"Public","appid":"96731E97-2204-4D74-BEA5-75DCA53566C3","authmethod":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","auth_time":"2019-03-29T15:55:42.124Z","ver":"1.0"
This token is accepted by the RMS server.
One small detail: the service discovery URL is not quite correct. Even with a working bearer token, attempting to access https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain will result in a 404 response. Replace "v2" with "v1" and the response is 200. My confusion was due to the SDK effectively hardcoding "/my/v2".
A couple more questions remain:
- Is it possible to get the RMS Mobile Device Extension to accept a token that doesn't contain an email claim? This is required for client ID / client secret authentication to work.
- What is the difference between "/my/v1" and "/my/v2" and how does one know which one to use?
answered 7 hours ago
Chris WilliamsChris Williams
162
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960493%2fhow-do-i-authenticate-to-active-directory-rights-management-services-using-a-bea%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Apologies for answering my own question. The problem with the bearer token appears not to be failure to verify the signature but a missing claim (email at a guess) in the payload.
Install and configure the AD RMS Mobile Device Extension as documented here.
There is something else you need to do that isn't documented (and which I'd guess is new for Windows Server 2016). After you add an ADFS client in Powershell, for example, the MAC OS X RMS Sharing App:
Add-AdfsClient -Name "RMS Sharing App for macOS" -ClientId "96731E97-2204-4D74-BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for-osx://authorize")
You then need to grant the client ID permission to access the protected resource (even if you configured "Permit Access to All Users"):
Grant-AdfsApplicationPermission -ClientRoleIdentifier "96731E97-2204-4D74-BEA5-75DCA53566C3" -ServerRoleIdentifier "api.rms.rest.com"
Now you can authenticate using the client ID and valid credentials for a domain user. The authentication request body becomes:grant_type=password&client_id=96731e97-2204-4d74-bea5-75dca53566c3&username=user1@mydomain&password=mypassword&resource=api.rms.rest.com
The returned token has a payload something like this:"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553874942,"exp":1553878542,"email":"user1@mydomain","upn":"user1@mydomain","apptype":"Public","appid":"96731E97-2204-4D74-BEA5-75DCA53566C3","authmethod":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","auth_time":"2019-03-29T15:55:42.124Z","ver":"1.0"
This token is accepted by the RMS server.
One small detail: the service discovery URL is not quite correct. Even with a working bearer token, attempting to access https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain will result in a 404 response. Replace "v2" with "v1" and the response is 200. My confusion was due to the SDK effectively hardcoding "/my/v2".
A couple more questions remain:
- Is it possible to get the RMS Mobile Device Extension to accept a token that doesn't contain an email claim? This is required for client ID / client secret authentication to work.
- What is the difference between "/my/v1" and "/my/v2" and how does one know which one to use?
answered 7 hours ago
Chris WilliamsChris Williams
162
add a comment |
Apologies for answering my own question. The problem with the bearer token appears not to be failure to verify the signature but a missing claim (email at a guess) in the payload.
Install and configure the AD RMS Mobile Device Extension as documented here.
There is something else you need to do that isn't documented (and which I'd guess is new for Windows Server 2016). After you add an ADFS client in Powershell, for example, the MAC OS X RMS Sharing App:
Add-AdfsClient -Name "RMS Sharing App for macOS" -ClientId "96731E97-2204-4D74-BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for-osx://authorize")
You then need to grant the client ID permission to access the protected resource (even if you configured "Permit Access to All Users"):
Grant-AdfsApplicationPermission -ClientRoleIdentifier "96731E97-2204-4D74-BEA5-75DCA53566C3" -ServerRoleIdentifier "api.rms.rest.com"
Now you can authenticate using the client ID and valid credentials for a domain user. The authentication request body becomes:grant_type=password&client_id=96731e97-2204-4d74-bea5-75dca53566c3&username=user1@mydomain&password=mypassword&resource=api.rms.rest.com
The returned token has a payload something like this:"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553874942,"exp":1553878542,"email":"user1@mydomain","upn":"user1@mydomain","apptype":"Public","appid":"96731E97-2204-4D74-BEA5-75DCA53566C3","authmethod":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","auth_time":"2019-03-29T15:55:42.124Z","ver":"1.0"
This token is accepted by the RMS server.
One small detail: the service discovery URL is not quite correct. Even with a working bearer token, attempting to access https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain will result in a 404 response. Replace "v2" with "v1" and the response is 200. My confusion was due to the SDK effectively hardcoding "/my/v2".
A couple more questions remain:
- Is it possible to get the RMS Mobile Device Extension to accept a token that doesn't contain an email claim? This is required for client ID / client secret authentication to work.
- What is the difference between "/my/v1" and "/my/v2" and how does one know which one to use?
answered 7 hours ago
Chris WilliamsChris Williams
162
add a comment |
Apologies for answering my own question. The problem with the bearer token appears not to be failure to verify the signature but a missing claim (email at a guess) in the payload.
Install and configure the AD RMS Mobile Device Extension as documented here.
There is something else you need to do that isn't documented (and which I'd guess is new for Windows Server 2016). After you add an ADFS client in Powershell, for example, the MAC OS X RMS Sharing App:
Add-AdfsClient -Name "RMS Sharing App for macOS" -ClientId "96731E97-2204-4D74-BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for-osx://authorize")
You then need to grant the client ID permission to access the protected resource (even if you configured "Permit Access to All Users"):
Grant-AdfsApplicationPermission -ClientRoleIdentifier "96731E97-2204-4D74-BEA5-75DCA53566C3" -ServerRoleIdentifier "api.rms.rest.com"
Now you can authenticate using the client ID and valid credentials for a domain user. The authentication request body becomes:grant_type=password&client_id=96731e97-2204-4d74-bea5-75dca53566c3&username=user1@mydomain&password=mypassword&resource=api.rms.rest.com
The returned token has a payload something like this:"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553874942,"exp":1553878542,"email":"user1@mydomain","upn":"user1@mydomain","apptype":"Public","appid":"96731E97-2204-4D74-BEA5-75DCA53566C3","authmethod":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","auth_time":"2019-03-29T15:55:42.124Z","ver":"1.0"
This token is accepted by the RMS server.
One small detail: the service discovery URL is not quite correct. Even with a working bearer token, attempting to access https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain will result in a 404 response. Replace "v2" with "v1" and the response is 200. My confusion was due to the SDK effectively hardcoding "/my/v2".
A couple more questions remain:
- Is it possible to get the RMS Mobile Device Extension to accept a token that doesn't contain an email claim? This is required for client ID / client secret authentication to work.
- What is the difference between "/my/v1" and "/my/v2" and how does one know which one to use?
answered 7 hours ago
Chris WilliamsChris Williams
162
Apologies for answering my own question. The problem with the bearer token appears not to be failure to verify the signature but a missing claim (email at a guess) in the payload.
Install and configure the AD RMS Mobile Device Extension as documented here.
There is something else you need to do that isn't documented (and which I'd guess is new for Windows Server 2016). After you add an ADFS client in Powershell, for example, the MAC OS X RMS Sharing App:
Add-AdfsClient -Name "RMS Sharing App for macOS" -ClientId "96731E97-2204-4D74-BEA5-75DCA53566C3" -RedirectUri @("com.microsoft.rms-sharing-for-osx://authorize")
You then need to grant the client ID permission to access the protected resource (even if you configured "Permit Access to All Users"):
Grant-AdfsApplicationPermission -ClientRoleIdentifier "96731E97-2204-4D74-BEA5-75DCA53566C3" -ServerRoleIdentifier "api.rms.rest.com"
Now you can authenticate using the client ID and valid credentials for a domain user. The authentication request body becomes:grant_type=password&client_id=96731e97-2204-4d74-bea5-75dca53566c3&username=user1@mydomain&password=mypassword&resource=api.rms.rest.com
The returned token has a payload something like this:"aud":"microsoft:identityserver:api.rms.rest.com","iss":"http://fs1.mydomain/adfs/services/trust","iat":1553874942,"exp":1553878542,"email":"user1@mydomain","upn":"user1@mydomain","apptype":"Public","appid":"96731E97-2204-4D74-BEA5-75DCA53566C3","authmethod":"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport","auth_time":"2019-03-29T15:55:42.124Z","ver":"1.0"
This token is accepted by the RMS server.
One small detail: the service discovery URL is not quite correct. Even with a working bearer token, attempting to access https://rms1.mydomain:443/my/v2/servicediscovery?email=user1@mydomain will result in a 404 response. Replace "v2" with "v1" and the response is 200. My confusion was due to the SDK effectively hardcoding "/my/v2".
A couple more questions remain:
- Is it possible to get the RMS Mobile Device Extension to accept a token that doesn't contain an email claim? This is required for client ID / client secret authentication to work.
- What is the difference between "/my/v1" and "/my/v2" and how does one know which one to use?
answered 7 hours ago
Chris WilliamsChris Williams
162
answered 7 hours ago
Chris WilliamsChris Williams
162
answered 7 hours ago
Chris WilliamsChris Williams
162
answered 7 hours ago
Chris WilliamsChris Williams
162
162
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960493%2fhow-do-i-authenticate-to-active-directory-rights-management-services-using-a-bea%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
