No Logged on Office Users are configured for Information Rights Management (IRM)

Hi, this is a short blog post to share with you an issue I faced with Office 365 and IRM (RMS : Right Management Service).

My mailbox is hosted in Office 365, and Outlook 2016 is showing “No Logged on Office Users are configured for Information Rights Management (IRM)” error when I try to use IRM.

IRM and Outlook and Office 365

This is a reported issue and Microsoft has a registry fix that you can apply to your outlook to solve this. Here is the fix in this link.

By Ammar Hasayen Posted in RMS Tagged

RMS Client not working after Office 2013 June Patch KB3054774

If you applied June Patches for Office 2013, you may encounter a problem that happened to me. I am running Windows 8.1, Office 2013 with June 2015 Office patches.

Suddenly, RMS (Right Management Services) stop working on my machine. If i open an outlook email and I tried to send an RMS protected email, i am not able to do so.

Moreover, i receive the below error when i tried to use RMS from Office 2013:

“Sorry, something went wrong opening Information Rights Management protected content. A certificate is missing or has an empty value for an important field, such as a subject or issue manner”.


It seems that the reason is that I have this Office 2013 June patch installed on my machine (KB3054774). Uninstalling this patch should immediately solve this problem. I have an open case with Microsoft to try to investigate this error. They recreate the environment that I have and they had the same error. Still waiting them to get back to me.

How Microsoft Rights Management Service RMS works

User will log to this machine, and will contact RMS to get RAC (Right Account Certificate), which identify the user in the RMS system. The RAC contains both a public key and private key and are sent to the client in an encrypted form using the machine public key. RACs are:

o Unique per user per application

o Are needed when CLC and Use licenses are needed

Now we have two scenarios:

· A user is using an RMS enabled application that can issue RMS Publish Licenses: In this case the user will contact RMS and provides his RAC, RMS will issue something called (Client License Certificates CLC).This CLC contains both the internal and external URL of the RMS licensing server that is needed when consuming the document. The application then can use this CLC to issue publishing content without having to contact RMS server each time.

· A user is using RMS enabled application that cannot issue RMS Published Licenses: In this case, CLC is not issued to the user and the user must contact RMS each time a protected document should be created and the RMS server will issue a publish license for each document online.

Now when Publishing License is to be created, it contains the rights applied to the document along with the symmetric key used to encrypt the document .All this is encrypted with the RMS Public Key. This ensures that only the RMS server can decrypt the content and issue use license.

A publishing license is signed by the private key of the issuing server or the private key of the client licensor certificate (in case of offline publishing).Publishing license contains the Internal and External URL of the Licensing server that should be contacted to get use licenses needed to open the document.

Now when other users need to access the protected document, it will use the Internal URL and External URL in the publishing license to contact the RMS licensing server .Only users with trusted RAC and whose names appear on the publishing license, can get use license.

Who can enroll for RAC

any user that :

1.Can discover the RMS server

2.Provide user with (mailbox or Email attribute)

How users can discover RMS servers

1.Domain joined machines with AD connectivity will use SCP on AD

2.Registry Overrides

3.If the user consume protected document ,then the publishing license will have external and internal URLs of the RMS server.

Who can Publish Protected content ?

Any user with valid Trusted RAC -CLC either he has RMS connectivity or not and either he can discover RMS servers or not , since he can publish the document offline ( in case the RMS application support offline publishing)

Who can consume the content ?

If any user gets RMS content , then that content will have the Published License .The  publish license contains the internal and the external URLs for the RMS licensing server.

If the user then can provide valid account ( with mailbox or email attribute) ,then the user will enroll RAC if he don’t have one till the moment and will get access to the document .If the user already has valid RAC or trusted RAC from Microsoft .NET services, then the RMS will issue use license immediately.

Example :

Home machine , never joined to the domain and only has Internet access.A Company user logs on the machine , opens RMS email .The RMS Email will have published license that points to the RMS server , the user will be prompted for username and password from the company published RMS services , and will be enrolled RAC and will be issued Use License for that email.