A user can still open an IRM-protected email message after you remove the user from the associated AD RMS rights policy template in an Exchange Server 2010 environment

Article ID: 2600034 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You configure the Active Directory Rights Management Services (AD RMS) service in a Microsoft Exchange Server 2010 environment.
  • You use the Information Rights Management (IRM) feature on the Exchange Server 2010 server that has the Client Access server role installed.
  • You create an AD RMS rights policy template that has the Request a new use license every time content is consumed option enabled. You assign the rights to a user group.
  • You send an IRM-protected email message that uses the RMS template to a user who is a member of the group.
  • The user can open the email message successfully by using Microsoft Office Outlook or by using Microsoft Outlook Web App (OWA).
  • You remove the user from the group.

In this scenario, the user can still open the email message by using Outlook or OWA.

CAUSE

This issue occurs because the Exchange server pre-fetches the use license and caches it in a property of the email message.

Therefore, the Exchange server does not honor the NoLicCache flag that is set for the Request a new use license every time content is consumed option.

RESOLUTION

To resolve this issue, install the following update rollup:
2645995 Description of Update Rollup 1 for Exchange Server 2010 Service Pack 2

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about AD RMS, visit the following Microsoft website:
General information about AD RMS
For more information about how to create a new rights policy template, visit the following Microsoft website:
General information about how to create a new rights policy template
For more information about IRM, visit the following Microsoft website:
General information about IRM
For more information about how to enable or disable IRM on Client Access servers, visit the following Microsoft website:
General information about how to enable or disable IRM on Client Access servers

Properties

Article ID: 2600034 - Last Review: February 13, 2012 - Revision: 1.0
APPLIES TO
  • Microsoft Exchange Server 2010 Service Pack 2, when used with:
    • Microsoft Exchange Server 2010 Enterprise
    • Microsoft Exchange Server 2010 Standard
Keywords: 
kbsurveynew kbfix kbqfe kbexpertiseinter KB2600034

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com