AD RMS Cryptographic Modes

Applies To: Windows Server 2008 R2 with SP1

There are two cryptographic modes that are available to Active Directory Rights Management Services (AD RMS) deployments with servers running at least Windows Server 2008 R2 with Service Pack 1. When AD RMS is first installed, Cryptographic Mode 1 is in use. For increased security, you can change to Cryptographic Mode 2. This document describes these cryptographic modes, the software prerequisites, and the administrative procedures to enable Cryptographic Mode 2.

  • Cryptographic Modes

  • Prerequisite Software and Updates

  • Enabling Cryptographic Mode 2

  • Questions and Answers

Cryptographic Modes

AD RMS supports two different modes of cryptographic operation:

  • Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It supports RSA 1024 for signature and encryption, and SHA-1 for signature. This mode continues to be supported by all current versions of AD RMS in release.

  • Cryptographic Mode 2 is an updated and enhanced AD RMS cryptographic implementation. It supports RSA 2048 for signature and encryption, and SHA-256 for signature.

When updated to run in Cryptographic Mode 2, AD RMS servers issue rights account certificates (RACs), client licensor certificates (CLCs) or user licenses (ULs) based on SHA-2/RSA 2048 only. Likewise, AD RMS servers updated to Cryptographic Mode 2 will accept only server licensor certificates (SLCs) and RACs based on SHA-2/RSA 2048. However, servers running in Cryptographic Mode 2 will continue to accept Publishing Licenses (PLs) previously issued using Cryptographic Mode 1 (SHA-1/RSA 1024).

Prerequisite Software and Updates

Some of the earlier operating systems cannot support AD RMS Cryptographic Mode 2. For these operating systems, the minimum version required to support Cryptographic Mode 2 is listed.

In addition, some applications cannot support Cryptographic Mode 2. After you have confirmed the operating system versions (and updated if necessary), then check whether you need to update the following applications on the AD RMS clients and server computers so that these applications can support Cryptographic Mode 2.

  • Exchange 2010: Requires a minimum of Exchange 2010 Service Pack 3.

  • Clients running Microsoft Office 2007: Requires a minimum of Office 2007 Service Pack 3.

  • Clients running Microsoft Office 2010: Requires a minimum of Office 2010 Service Pack 2.

Enabling Cryptographic Mode 2

After any prerequisite software updates are deployed, the AD RMS administrator can use two different methods to update to Cryptographic Mode 2: The AD RMS management console or Windows PowerShell.

Warning

Enabling Cryptographic Mode 2 on clients and servers is a one-way upgrade. There is no supported method for reverting to the previous cryptographic mode after the higher level is enabled.

Phased Deployment

Use a three-phased approach to transition to Cryptographic Mode 2:

  1. Preparation:

    1. If necessary, upgrade all Active Directory Rights Management Services client computers to support Cryptographic Mode 2. These computers could be running different operating systems that you might need to update to achieve the required level of support.

    2. Coordinate with your partners in other groups who you share AD RMS protected content with, and agree on the dates of the checkpoints. Depending on your deployment, the following preparations might also be required:

      • If you have servers connected with a trusted user domain (TUD), all servers involved must be updated and move to Cryptographic Mode 2 at the same time. See Enabling Cryptographic Mode 2 for TUDs in this document for more information.

      • If you have servers connected with AD FS, the servers do not have to be updated; however, all clients in both forests must be running software that supports Cryptographic Mode 2.

    3. Upgrade all AD RMS servers to support Cryptographic Mode 2. If you are running AD RMS servers that have a version of Windows lower than Windows Server 2008 R2 SP1, you should first upgrade these servers to at least Windows Server 2008 R2 SP1 to achieve the required level of support.

  2. Transition:

    1. The transitioning phase can begin after all AD RMS servers and their clients are capable of supporting Cryptographic Mode 2.

    2. Before your AD RMS servers are updated to use Cryptographic Mode 2, first create their Cryptographic Mode 2 keys so that these keys can be imported as TUDs in another forest.

    3. During this time, your content continues to be rights-protected using Cryptographic Mode 1.

  3. Completion:

    • When the preparation is complete, the move to Cryptographic Mode 2 must be coordinated throughout the organization

Enabling Cryptographic Mode 2 on Client Computers

Other than ensuring AD RMS client computers have the supported software installed to support Cryptographic Mode 2, no further administrative action is required. These AD RMS client computers can continue to function with AD RMS servers that have not yet been upgraded Cryptographic Mode 2.

Enabling Cryptographic Mode 2 on AD RMS Servers

To update AD RMS servers to Cryptographic Mode 2, you can use the AD RMS management console or Windows PowerShell:

  • Using the AD RMS management console:

    1. In the navigation pane, select the AD RMS server you want to upgrade.

    2. From the Action menu, select the Update Crypto to Mode 2 option.

  • Using Windows PowerShell:

    In a Windows PowerShell session, use the following syntax:

    Update-ADRMS –UpdateCryptographicModeOnly –ServiceAccount <account> -force –NewCSPName <”Mode2 Supported CSP”> -Regen
    

    When you run this command:

    • UpdateCryptographicModeOnly is the parameter that indicates that Cryptographic Mode 2 should be enabled. This is a one-way operation. After this operation is complete, you cannot return the AD RMS server to Cryptographic Mode 1.

    • force is optional, which overrides the user prompt for confirmation.

    • NewCSPName indicates the cryptographic provider that you want to use for encryption. This is an optional setting and not needed if you are using password-based protection. This can be any Cryptographic Mode 2 enabled cryptographic provider.

    As an example, if the AD RMS service account is named ADRMSSvc, you would open a Windows PowerShell prompt and run the following command to update the AD RMS server to Cryptographic Mode 2:

    Update-ADRMS –UpdateCryptographicModeOnly –ServiceAccount ADRMSSvc –NewCSPName “Microsoft Enhanced RSA and AES Cryptographic Provider”
    

Enabling Cryptographic Mode 2 for TUDs

If you are using a trusted user domain (TUD) between two AD RMS servers, they must both use the same cryptographic mode. For example, communication in support of a TUD relationship between a Cryptographic Mode 2 AD RMS server in one forest and a Cryptographic Mode 1 AD RMS server in another forest will not be possible. In order to keep the TUD relationship, the administrators of both forests must coordinate the upgrade to Cryptographic Mode 2.

  1. Before either forest can move to Cryptographic Mode 2, all clients (or at least all clients that will exchange information), must have software that supports Cryptographic Mode 2.

  2. Before an administrator moves one forest to Cryptographic Mode 2, that administrator must generate the new SLC and export it.

  3. The administrator in the partner forest should then import the updated Cryptographic Mode 2 SLC, which allows for the TUD to remain intact.

  4. After the decision is made to move to Cryptographic Mode 2, administrators in both forests should move AD RMS servers to Cryptographic Mode 2 at the same time. TUDs are unavailable for client information exchange until all the AD RMS servers in the forest are upgraded to Cryptographic Mode 2.

Use the following command syntax to generate and export a new SLC:

Initialize-RmsCryptoMode2 -FilePath <filepath> -Regen

When you run this command:

  • Filepath can be any file location. The last name in the path becomes the file name.

  • Regen is only used when the command has been run previously and you want to revise the key from the AD RMS database.

For example, to generate a new SLC that will be produced in the C:\certs\slcfabrikam, you would run the following command from a Windows PowerShell prompt:

Initialize-RmsCryptoMode2 –Filepath c:\certs\slcfabrikam.bin

To import an SLC, you can use the following command:

Import-RmsTUD -Path <AdRmsAdmin drive> -DisplayName <name> -SourceFile <SLCfile>

When you run this command:

  • Path is a mandatory parameter that will take an AdRmsAdmin value, as described in Using Windows PowerShell to Administer AD RMS. If you change directory to the AD RMS drive, you can use a period (.) for <ADRmsAdmin drive>.

  • SourceFile is the SLC file that was generated using the Initialize-RmsCryptoMode2 command.

  • DisplayName is the display name for the TUD relationship.

For example, if you want to import an SLC file named slcfabrikam.xml that is located on an AD RMS drive named FabrikamRMSCluster in the folder TrustPolicy and the trusted user domain display name is Fabrikam, you would run the following command at a Windows PowerShell prompt:

Import-RmsTUD -Path FabrikamRMSCluster:\TrustPolicy -DisplayName Fabrikam -SourceFile slcfabrikam.bin

Cryptographic Mode 2 for TPDs

Trusted publishing domains (TPDs) are used to verify publishing licenses (PLs) for previously published content. No changes are required for TPDs in Cryptographic Mode 2. Cryptographic Mode 1 TPDs will continue to be honored for previously published content.

Questions and Answers

The following section contains some questions and answers for administrators preparing to perform the upgrade from Cryptographic Mode 1 to Cryptographic Mode 2.

Why enable Cryptographic Mode 2?

National Institute of Standards and Technology (NIST) issued Special Publication 800-57 recommends the use of 2048-bit RSA keys starting January 1, 2011. United States Federal agencies are required to comply with NIST recommendations and many private enterprises and other countries may choose to implement this recommendation. To learn more, see NIST Special Publications (https://csrc.nist.gov/publications/PubsSPs.html).

What does this update look like for users?

The experience for users varies:

  • If the user has a computer without the software required to support Cryptographic Mode 2 and tries to read content that has been protected with Cryptographic Mode 2, they will see an error. The error from the server will indicate that the cryptographic mode is erroneous. The exact message text displayed at the client depends upon the application returning the error. If this occurs, the client automatically restarts its boot strap process with the AD RMS server.

  • If the user has existing Cryptographic Mode 1 end user licenses (EULs), the computer must contact the AD RMS server to get a Cryptographic Mode 2 EUL for that content. Providing the user is online and able to reach the AD RMS server, this operation should occur automatically and not require user input.

How is this change managed differently if I am using AD FS with AD RMS?

In some situations, the purpose of TUDs can be replaced with a deployment of Active Directory Federation Services (AD FS), which will allow partners to continue to interoperate in different cryptographic modes. Under these circumstances, clients are able to use AD FS servers to access the updated AD RMS servers and changes in an AD FS supported trust are less involved.

If you are running a federated trust between forests using AD FS and have servers operating in two different cryptographic modes, the following considerations should help you to make appropriate planning decisions and understand the differences:

  • Before either forest in a federated trust relationship supported by AD FS can move to Cryptographic Mode 2, clients (or at least clients that will exchange information) might need updates to support Cryptographic Mode 2.

  • The AD RMS and AD FS servers in the second forest will not need any updates to support this scenario.

  • The AD RMS servers moving to Cryptographic Mode 2 do not need to share SLCs with the other forest.

  • Clients will get RACs from the publishing server, so this means that for cross-forest publishing, each client will get two independent RACs-one from the publishing server in each forest.

How does this change affect existing Cryptographic Mode 1 licensed content or impact the pre-licensing agent?

After a server is updated to Cryptographic Mode 2, all the Cryptographic Mode 1 end user licenses (EULs) that each AD RMS client has licensed (either directly or via Exchange pre-licensing) will no longer be valid. In this situation, client devices will need to go back to the AD RMS server with the publishing license (PL), to obtain a Cryptographic Mode 2 EUL. Providing the user is online and able to reach the AD RMS server, this operation should occur automatically and not require user input.

How does this change affect AD RMS-aware applications such as Microsoft Office, Microsoft Exchange, or Microsoft Office SharePoint Server?

All computers using AD RMS that run Microsoft Office 2007 and Microsoft Office 2010 installations might need software updates. Cryptographic Mode 2 is not supported for versions of Microsoft Office prior to Microsoft Office 2007. If Microsoft Office installations do not have the required updates, they will continue to operate after computers are updated to Cryptographic Mode 2; however, ease of access to licensed content within Microsoft Office might be reduced by the additional inconvenience of error messages or dialog boxes that get displayed on client computers.

Exchange Server 2010 must be running at least Service Pack 3 to support Cryptographic Mode 2. Exchange Server 2007 does not require updates in order to support Cryptographic Mode 2.

Microsoft Office SharePoint Server 2007 updating to Cryptographic Mode 2 should have no impact, although there might be a need to restart SharePoint services after updating your AD RMS deployment to use Cryptographic Mode 2.

How do these changes impact mobile devices such as those running Windows Mobile 6 or Windows Phone 7?

Cryptographic Mode 2 is not supported for Windows Mobile 6 (all versions). Devices running at least Windows Phone 7 should work seamlessly in Cryptographic Mode 2 without requiring additional software updates.

Is there backwards compatibility for clients that have not been updated to mode 2?

No. To enable backwards compatibility for clients that have not been updated to support Cryptographic Mode 2 would allow users with weaker keys to access content, introducing a weak link in the security chain and potentially defeating the benefits of the enhanced cryptographic strength that Cryptographic Mode 2 provides for AD RMS.

Is there backwards compatibility for content that was originally protected using mode 1 cryptography?

Yes. A Cryptographic Mode 1 trusted publishing domain (TPD) is automatically imported during the Cryptographic Mode 1 update process. This enables all existing content that was originally published with Cryptographic Mode 1 to continue to be accessible after updating to Cryptographic Mode 2.

See Also

Other Resources

Understanding AD RMS Certificates
AD RMS Administration Cmdlets