Updated Deployment Notes for AD RMS Interoperability with Office for Mac

Updated: October 28, 2013

Applies To: Windows Server 2008 R2 with SP1, Windows Server 2012 R2

After upgrading or updating the operating system on an AD RMS server that runs under Windows Server® 2008 R2 SP1, some unintended changes to access control lists (ACLs) can occur on the Office for Mac certification file (MacCertification.asmx).

There are two possible ways this issue can occur during upgrade/update scenarios:

  1. If you have previously set custom ACLs on the MacCertification.asmx file, those ACL settings will be lost after upgrading to Windows Server 2008 R2 SP1 or applying any patch updates for this version of the operating system.

  2. If the default ACL (no access) was used on the MacCertification.asmx file ACL, after an upgrade or update, it might be reset to an ACL similar to the ones used on other certification pages such as Certification.asmx.

In either case, if you install any new Windows Update patch or perform a Service Pack update under Windows Server 2008 R2 SP1 and then run the Update-ADRMS cmdlet, these unintended ACL modifications can occur. To resolve this issue, the ACL for MacCertification.asmx can be repaired to its original intended state after running the Update-ADRMS cmdlet using the following procedural guidance.

To restore certification of server services to its intended level of security

  1. Open Windows Explorer and browse to the folder where IIS is installed.

    By default, the folder path is %systemdrive%\inetpub\wwwroot\_wmcs\certification.

  2. To enable server services to receive RACs, right-click the MacCertification.asmx file, and then click Properties.

  3. On the Security tab, and click Continue.

  4. On the Security tab, click Add.

    Verify the permitted users on the Security tab. You should see System, AD RMS Service Group, Administrators, and Users. If these accounts objects are missing from the Security tab, then continue to the next step to add them back.

  5. To add the computer account object of the AD RMS-enabled server application and the AD RMS Service Group, click Locations.

  6. Select %servername%, and then click OK.

  7. Click Advanced.

  8. Click Find Now.

    If you are re-establishing IRM-related servicing, re-add the following groups from the search results:

    • Administrators (%servername% \Administrators) – Full Control

    • Users (%servername% \Users) - Read

    • AD RMS Service Group (%servername% \AD RMS Group) - Read

    Otherwise, if servicing for Office for Mac users is no longer needed, you can verify that the following access control entry is all that is listed:

    • NT AUTHORITY\SYSTEM – Full Control
  9. Click OK.

For more information on deploying IRM support using AD RMS for Office for Mac users, download and review the Information Rights Management in Office for Mac 2011 Deployment Guide on the Microsoft Download Center (https://www.microsoft.com/download/confirmation.aspx?id=20825).