none
Active Directory Rights Management 服务移动设备扩展后office 2016 for mac无法打开RMS权限保护文档

    问题

  • 各位好:

         公司在windows 2008 R2 Server上部署了ADRMS角色用来保护office文档,windows操作系统上的office2016和mac系统上的office2016以下(不含2016版本)打开经过RMS保护的office文档都正常。最近有用户反馈在office2016 for mac版本上打开经过RMS保护的文档直接链接到了Microsoft Windows live ID 在线登录窗口。

         经过查询相关资料,有提示说要升级ADRMS并安装Active Directory Rights Management 服务移动设备扩展。由于生产环境RMS达不到安装移动设备扩展条件,通过测试环境新部署了一套windows2012 ADFS+ADRMS。

    部署参考:https://technet.microsoft.com/zh-cn/library/dn673574.aspx

          经测试,windows版本的office2016及以下版本可以正常打开受保护的文档,MAC下0ffice2016以下版本也可以打开,但是office 2016 for mac版本还是打不开。但是与之前的报错信息不一样了,这次没有链接到windows live ID上,会提示要到内部的RMS服务器上做验证,但是点击继续后,提示“您无权打开此文档”

        在ADRMS上的IIS日志中查看,发现office 2016 for mac上打开带有权限保护的文档时报错如下:

    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
    2017-01-22 07:09:06 10.0.4.74 GET /my/v1/servicediscovery service=https://adrms.contoso.com/_wmcs/licensing 443 - 10.0.12.94 Microsoft%20Rights%20Management%20Services/1+CFNetwork/760.0.5+Darwin/15.0.0+(x86_64) - 401 5 0 12

    再补充一下使用office2010 for mac版本打开受保护文档时的log信息:

    #Software: Microsoft Internet Information Services 8.0
    #Version: 1.0
    #Date: 2017-02-07 01:44:12
    #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
    2017-02-07 01:44:12 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/ServiceLocator.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5984 1214 133
    2017-02-07 01:44:21 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/ServiceLocator.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5984 1214 5
    2017-02-07 01:44:21 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/ServiceLocator.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 1205 1680 636
    2017-02-07 01:44:21 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5992 1211 7
    2017-02-07 01:44:21 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5992 1211 5
    2017-02-07 01:44:22 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/certification/ServiceLocator.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 1187 1677 223
    2017-02-07 01:44:22 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/certification/MacCertification.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 18415 16206 291
    2017-02-07 01:44:22 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/publish.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5970 16700 5
    2017-02-07 01:44:22 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/publish.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5970 18436 6
    2017-02-07 01:44:22 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/publish.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 18028 18902 228
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/License.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5970 56585 22
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/License.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5970 56585 23
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/License.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 21242 57051 171
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/templatedistribution.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5996 979 5
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/templatedistribution.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5996 979 3
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/templatedistribution.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 1335 1445 155
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/templatedistribution.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5996 979 3
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/templatedistribution.asmx - 443 - 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 401 2 5 5996 979 4
    2017-02-07 01:44:23 W3SVC1 ADRMS 10.0.4.74 POST /_wmcs/licensing/templatedistribution.asmx - 443 CONTOSO\JARRY 10.0.12.74 HTTP/1.1 Windows+Rights+Management+Client - - adrms.contoso.com 200 0 0 1335 1445 95

    各位可以对比一下:

    office 2016 for mac的的客户端打开带有权限保护的文档时请求的URL是:https://adrms.contoso.com/_wmcs/licensing 而且服务器会返还401 5 0 12错误。

    office2010 for mac的客户端打开带有权限保护的文档请求的url是:https://adrms.contoso.com/_wmcs/licensing/ServiceLocator.asmx,不知道为啥不一样。

    而且新版本的office客户端检测出来的agent是“Microsoft%20Rights%20Management%20Services”,旧版本office检测出来的客户端是“Windows+Rights+Management+Client”

    请各位专家帮忙分析一下是什么原因。感谢了!

    柳海宝

    2017年2月13日 1:12

全部回复