Troubleshooting issues with Microsoft Information Protected (MIP) files

Here's a list of common problems with MIP PDF files and troubleshooting steps to resolve the issues. 

Troubleshooting issues with opening PDF files protected by MIP

  1. Clear MIP credentials.

    Märkus.

    See the steps to clear MIP credentials in the section How to download Acrobat debugging and customization tools.

  2. Check the integrity level of the Microsoft folder.

    1. Right-click the Microsoft folder and navigate to the Security tab.

    2. Select the Advanced option.

    3. Ensure that the Integrity level is set to "Low Mandatory" as depicted in the screenshot.

      Integrity level

    4. Perform the following steps if the integrity isn't at "Low Mandatory Level."

      1. Open the command prompt.

      2. Run the command icacls <fullpath> /setintegritylevel L (where <fullpath> is “C:\Users\<username>\AppData\LocalLow\Microsoft”).

  3. Run the workflow again to verify the change.

AADSTS50020: User account 'user@domain.com' from the identity provider (IdentityProviderURL) does not exist in the tenant (ResourceTenantName). It cannot access the application 'cad2910c-3b55-4610-ba7e-dda581063c91'(Adobe Acrobat Reader) in that tenant. The account must be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

  1. Set both bEnablePolicyAuthentication and bShowDMB to 0 under the “MicrosoftAIP” section. After enabling the registry, users won't see the applied MIP label on the current file. The bEnablePolicyAuthentication disables authentication in Azure AD.

While opening an MIP protected PDF, you see the following message that prompts for user consent.

Error dialog

See General Availability of Adobe Acrobat Reader Integration with MIP to disable the consent prompts for users.

Try the following steps.

  1. Close the Acrobat or Reader app.

  2. Set the value of the registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product>\<track>\FeatureLockDown]
    bSilentAuth” to dword:00000000.

    This registry enables the authentication prompts that come from the OS and, by default, are disabled in Acrobat.

  3. Open Acrobat or Reader app.

Try the following steps.

  1. Close Acrobat or Reader.

  2. Ascertain if the issue occurred when the Sandbox was enabled or disabled.

  3. Clear MIP credentials, and then reopen the file to verify.

    Märkus.

    See the steps to clear MIP credentials in the section How to download Acrobat debugging and customization tools.

  4. If the issue continues, contact Adobe.
    Share the following details with MIP developers:

    • Acrobat and MIP version.
    • Are you facing the issue when Sandbox is disabled or enabled?
    • Enable MIP logging.
    • Share the logs from “%APPDATA%\..\LocalLow\Microsoft\RMSLocalStorage” and “%APPDATA%\..\Local\Microsoft\RMSLocalStorage".
    • Share the fiddler logs.
    • Attach the video of the workflow for better clarity.

Plug-in related questions

%APPDATA%\..\LocalLow\Microsoft\RMSLocalStorage” and “%APPDATA%\..\Local\Microsoft\RMSLocalStorage". Microsoft maintains the cache. Therefore only Microsoft can confirm if the size of the cache is large.

  • Adobe Reader: cad2910c-3b55-4610-ba7e-dda581063c91
  • Adobe Acrobat: 97bd680b-f203-4917-a342-308a3de4094a

Open the attached file in Notepad or any text editor, and find the tag /Filter /MicrosoftIRMServices /MicrosoftIRMVersion 1/PublishingLicense.

No authentication library is used. The plug-in uses Acrobat’s internal implementation of OAuth2.

Yes, Acrobat desktop app works as a public client.

Yes, files can be viewed offline if the files are opened earlier, and the app refreshes the token silently.

Acrobat uses Microsoft’s MIP SDK to open MIP protected files. The version does not work completely in an offline environment. If a user tries to open any new MIP protected file for the first time, the file doesn’t open. If the file was opened earlier, it may open because MIP SDK caches policy information.

Adobe implements the OAuth2 framework in a simple manner. Iframe is used to render the authentication URL. The URL is provided by MIP SDK whenever a resource is accessed. The URL is rendered inside the Iframe. Authentication servers control any redirections that exist. After the process completes, the access token and refresh token is returned and is cached if the user permits. The access token is then passed to the MIP SDK whenever requested. The refresh token is used to silently acquire a new access token when the previous token expires.

A dialog is displayed prompting the user to store the credentials. If the user declines, no token is stored in the disc. In that case, the user must enter their credentials every time they open Acrobat or Reader.

Credentials Dialog

Tokens are stored in an encrypted file on the user’s machine inside the “C:\Users\<username>\AppData\Roaming\Adobe\Acrobat\<track>\Security” folder. 

On Windows, the tokens are protected using DPAPI – CryptProtectData, and on macOS, these tokens are stored in a keychain.

Tokens are stored in a secure environment. Even if the same file is copied to another machine, it won’t work there. This infrastructure of securely storing tokens is used for other important workflows that require information to be stored securely.

Acrobat/Reader cannot open PDF files protected with SharePoint. It only supports MS IRM version 2 (MIP or AIP) protected documents. In contrast, the IRM-Protected PDF document from Sharepoint uses MS IRM Version 1, which the Acrobat or Reader MIP plug-in doesn’t support. For more information, see SharePoint-Compatible PDF readers that support Microsoft Information Rights Management services.

How to download Acrobat debugging and customization tools

  1. Download and install fiddler tool from the location https://www.telerik.com/download/fiddler.

  2. Open Fiddler.

  3. Go to File > Capture Traffic and enable the option to capture traffic. Alternatively, press the F12 key.

  4. Navigate to Tools > Options > HTTPS > Decrypt HTTPS traffic, and enable HTTP Decryption. 

  5. Launch Acrobat, and open the MIP protected file.

  6. Share the Fiddler logs.

  1. Open Acrobat, and go to Edit > Preferences. Alternatively, press Ctrl+K.

  2. From categories, select Security (Enhanced).

  3. Deselect (or select if earlier deselected) the option Enable Protected Mode at startup (Preview).

  4. Select Yes, and then select OK to confirm.

  5. Relaunch Acrobat to apply the changes.

  1. Open Acrobat or Reader, and go to preferences.

  2. Navigate to Edit > Preferences > Security.

  3. Under Microsoft Azure Information Protection, select Clear remembered account information.

  4. Close Acrobat, and then relaunch Acrobat and try opening a MIP file.

Key: Computer\HKEY_CURRENT_USER\SOFTWARE\Adobe\<product>\<track>\MicrosoftAIP
Value: bEnableLogging
Data: 1

 Adobe

Saage abi kiiremini ja hõlpsamalt

Uus kasutaja?