Share via

Cryptographic Mode 2: What you need to know

  • Article

There are two cryptographic modes that are available to Active Directory Rights Management Services (AD RMS) deployments with servers running on Windows Server 2008 R2 with Service Pack 1 or later.

When AD RMS is first installed  in 2008 R2 Cryptographic Mode 1 is in used by default. In order to use the higher Cryptographic Mode 2, specific updates may need to be applied to your clients to be compatible.

When AD RMS is first installed in 2012 it gives you the choice of modes, but will default to Cryptographic Mode 2, so your clients also need the updates if you choose this mode.

Before moving to Cryptographic Mode 2, you must make sure your clients can use this mode.

Updates must be installed to support this (except for windows 8 and later)

You might see references to two updates titled "RSA key length is increased to 2048 bits for AD RMS"

For clients KB2627273 and KB2627272 can be considered the same update but support difference versions of the OS.

For enabling Crypto Mode 2 support on the AD RMS Server, KB2627272 adds this support for Windows Server 2008 R2 Service Pack 1.

Server 2012 has this built in.

There is also a newer update (KB2843630) that adds some additional RMS updates for Office, but includes Crypto Mode 2 support.

This would be the recommended update for most situations because it supports all the clients listed in KB2627273.

These are the recommended updates to install for Clients:

kb2627272

        •Windows Vista Service Pack 2

        •Windows Server 2008 SP2-based RMS clients

(NOTE: The download for 2008 SP2 will have a title of Windows Vista, but it appropriate for both)

KB2843630

        •Windows 7 (all supported SP levels)

        •Windows Server 2008 R2-based RMS clients (all supported SP levels)

The Azure Information Protection client also installs Crypto Mode 2 support (by installing KB2843630).

   

For the AD RMS server you would apply kb2627272. It requires a Windows Server 2008 R2 SP1-based ADRMS Server

(included in Server 2012, so no update is needed)

NOTE: Mac Office 2011 should support Cryptographic Mode 2. 

NOTE: For supporting Office 2016 for Mac or later on AD RMS, you must install the RMS Mobile Device Extensions on the AD RMS server.

If you have servers connected with a Trusted User Domain (TUD), ALL servers involved must be updated and move to Cryptographic Mode 2 or the trust will no longer function.

Details of the actual process can be found here:

http://technet.microsoft.com/en-us/library/hh867439(v=ws.10).aspx