microsoft-information-protection

AD RMS with Mobile Device Extension for on-prem rpmsg decryption fails with "The service didn't accept the auth token"

I am using the MIP SDK to try to decrypt rpmsg files. I have this working in my environment, but I cannot get it to work in my customer's environment. At this stage, the call to create a file handler fails with this log trace:

Error   2022-04-28 11:11:08.849 http_director_impl.cpp:258  LinkWorksite (2960) "HTTP operation failed Failed with: [AccessDeniedError: 'The service didn't accept the auth token. Challenge:['Bearer realm=""api.rms.rest.com"", authorization=""https://adfs.rrrrrrr.com/adfs/oauth2/authorize""']']" mipns::HttpDirectorImpl::OnHttpOperationFailed  4660
Error   2022-04-28 11:11:08.849 protection_engine_impl.cpp:797  LinkWorksite (2960) "Failed API call: protection_engine_create_consuming_protection_handler Failed with: [AccessDeniedError: 'The service didn't accept the auth token. Challenge:['Bearer realm=""api.rms.rest.com"", authorization=""https://adfs.rrrrrrr.com/adfs/oauth2/authorize""'], CorrelationId=c824d818-37ad-4309-b327-051da5e2f477, CorrelationId.Description=ProtectionEngine']"    mipns::ProtectionEngineImpl::CreateProtectionHandlerForConsumption  4660
Warning 2022-04-28 11:11:08.849 common/api_utils.h:249  LinkWorksite (2960) "Start calling error callback for API: protection_engine_create_consuming_protection_handler"   mipns::TryExecuteFailureCallback::<lambda_ee801bdedc20f37e6b5feb9b736714ff>::operator ()    4660
Warning 2022-04-28 11:11:08.849 common/api_utils.h:251  LinkWorksite (2960) "Ended calling error callback for API: protection_engine_create_consuming_protection_handler"   mipns::TryExecuteFailureCallback::<lambda_ee801bdedc20f37e6b5feb9b736714ff>::operator ()    4660
Trace   2022-04-28 11:11:08.849 oneds_telemetry_delegate.cpp:40 LinkWorksite (2960) "OneDSTelemetryDelegate::WriteEvent(protection_engine_create_consuming_protection_handler)" mipns::OneDSTelemetryDelegate::WriteEvent   4660
Trace   2022-04-28 11:11:08.849 oneds_helper.cpp:293    LinkWorksite (2960) "OneDsHelper::WriteEvent(protection_engine_create_consuming_protection_handler)"    mipns::OneDSHelper::WriteTelemetryEvent 4660
Info    2022-04-28 11:11:08.849 diagnostic_utils.cpp:73 LinkWorksite (2960) "Send Telemetry. Event Name : [protection_engine_create_consuming_protection_handler]
    App.ApplicationId: [adfasefas-9023-4a44-9a5e-9369d10bdbb5], Pii: [None]
    App.ApplicationName: [Link Documents MIP Integration], Pii: [None]
    App.ApplicationVersion: [2.1.1], Pii: [None]
    App.SessionId: [], Pii: [None]
    Engine.SessionId: [], Pii: [None]
    Event.CorrelationId: [c824d818-37ad-4309-b327-051da5e2f477], Pii: [None]
    Event.CorrelationIdDescription: [ProtectionEngine], Pii: [None]
    Event.Duration: [0.569734], Pii: [None]
    Event.ErrorType: [AccessDeniedError], Pii: [None]
    Event.Failed.File: [src\protection\api_impl\protection_engine_impl.cpp], Pii: [None]
    Event.Failed.Func: [mipns::ProtectionEngineImpl::CreateProtectionHandlerForConsumption::<lambda_a8fc66003c9962d3cc715d8ff0880d0a>::operator ()], Pii: [None]
    Event.Failed.Line: [727], Pii: [None]
    Event.Failed.Message: [Failed to create protection handler. Failed with: [AccessDeniedError: 'The service didn't accept the auth token. Challenge:['Bearer realm=""api.rms.rest.com"", authorization=""https://adfs.rrrrrrr.com/adfs/oauth2/authorize""'], CorrelationId=c824d818-37ad-4309-b327-051da5e2f477, CorrelationId.Description=ProtectionEngine']], Pii: [None]
    Event.ParentCorrelationId: [50c0b566-3e8c-4308-8518-6b0ee17ac510], Pii: [None]
    Event.ParentCorrelationIdDescription: [ProtectionProfile], Pii: [None]
    Event.UniqueId: [7805865d-bd65-4e0c-8097-5e36ca195739], Pii: [None]
    EventInfo.Level: [10], Pii: [None]
    EventInfo.PrivTags: [33554432], Pii: [None]
    MIP.Version: [1.11.64], Pii: [None]
    PL.KeyType: [Single], Pii: [None]
    iKey: [ce9aa5fb5a414ecebb15af10715bd8ff-831d197e-fc97-4df6-b998-c8c13a0fc3ce-6768], Pii: [None]
"   mipns::WriteTelemetryEventToLog 4660
Info    2022-04-28 11:11:08.849 protection_engine_impl.cpp:797  LinkWorksite (2960) "Ended API call: protection_engine_create_consuming_protection_handler" mipns::ProtectionEngineImpl::CreateProtectionHandlerForConsumption  4660

At first glance, it appears that the AD FS setup must be incorrect. However, I have gone back and forth through the documentation without any clear idea how this could happen. Any advice or experience with this issue and how to resolve it would be very helpful.

Solution

  • It turns out that the problem here was an expired "Trusted User Domain" certificate. Take a look here for a full explanation:

    https://social.technet.microsoft.com/wiki/contents/articles/33666.expired-adrms-tud-including-live-id-support-may-cause-mobile-device-support-to-fail.aspx