I am trying to decrypt an rpmsg file received from inside my organization that has been encrypted with RMS. I have installed AD RMS and the MDE. I am using the MIP SDK for C# version 1.11.72.
Decryption fails with a generic message - "One or more errors occurred." However, in the MIP SDK logs, I see this:
Failed API call: file_create_file_handler_async Failed with: [NoPermissionsError: 'Received message: Can't find SLC public key in global lookup tenant when targeting https://api.aadrm.com/my/v2/enduserlicenses, NoPermissionsError.Category=UnknownTenant, CorrelationId=6f5fb43e-4fe8-452c-ad30-3d3e5e479a5c, CorrelationId.Description=ProtectionEngine'
I am not sure what this issue might be related to. Any advice as to how to diagnose would be very helpful.
Using AD RMS requires that you also have registered the _rmsdisco SRV record. Without that, the SDK defaults to using Azure.
https://learn.microsoft.com/en-us/information-protection/develop/quick-app-adrms#service-discovery
I'll look at adding a section to the Service Discovery section that links to the AD RMS details.
Once the record is published, you need to use the Identity property on the FileEngineSettings object. The SDK will use the domain suffix from the identity to chase the SRV record.
If your organization has multiple email domains, you'll need an SRV record for each that points to the RMS cluster.