Поделиться через


Windows Media DRM Individualization Best Practices

 

Windows Media DRM Team

Microsoft Corporation

December 2004

 

Applies to:

   Microsoft® Windows Media® Format SDK

   Microsoft Windows Media Digital Rights Management

 

Summary: Provides practical advice for application developers about the digital rights management (DRM) individualization process.

 

Contents

Introduction

Overview of the Windows Media Digital Rights Management Services

About the Individualized DRM Component

Implementing Individualization in Custom Applications

   Getting Information About the DRM Component

   Determining When to Individualize

   Displaying a Privacy Message

   Initiating Individualization

   Individualization Status Messages

   Showing Individualization Progress

   Individualization Time-out

   Canceling Individualization

   Implementing Individualization Retries

   Logging Individualization Information

   Individualization Network Issues

Common Questions About Individualization

   What Circumstances Can Trigger Individualization?

   Can Individualization Be Forced?

   Why Does the Player Connect to Unfamiliar Web Sites When Playing Content?

   Can the DRM Component on a Computer Be Reset?

   How Long Does Individualization Take?

   Does a User Need an Administrator Account to Perform Individualization?

   Can the Installation Directory Be Changed?

Error Code Reference

Troubleshooting Individualization

For More Information

Introduction

The Windows Media® Format software development kit (SDK) documentation describes how to upgrade the security of the digital rights management components in a process called individualization. The SDK documentation for the methods of the IWMDRMReader interface includes methods that implement individualization. This document describes the individualization process in greater detail. It includes information about how to create a robust implementation that includes error handling and retries. It also addresses potential problems in the process and describes how you can avoid or mitigate them.

Overview of the Windows Media Digital Rights Management Services

Microsoft provides a number of online services that support Windows Media® digital rights management (DRM). Applications built by using the objects of the Windows Media Format SDK can use these services when implementing DRM support. This section describes the online DRM services. Only the individualization service and the Indiv-IT Web site are described in detail in this document. The other services are listed here only to provide an overview of the services available.

Individualization Service

The individualization service facilitates individualization, which is the process of updating the DRM components on the client computer and encrypting the DRM component to make it unique. When a computer is individualized, the DRM components are tied to the computer and will not be able to decode content on any other computer. The updated DRM components are contained in a package that is often referred to as the individualized DRM component.

As newer versions of the DRM components are released, a computer can be individualized again to upgrade to the newer components. When a computer is individualized, updates are made to a configuration file so that the client can continue to access content that is protected by licenses associated with previous versions of the DRM components.

This article provides details about using the individualization service.

Secure Clock Service

This is a new service for Windows Media DRM 10. It enables a device to synchronize its time-of-day clock with an accurate and reliable time source at Microsoft.

The secure clock service is similar to Windows® time source (time.windows.com). Unlike Windows time source, the secure clock service uses the HTTP protocol instead of NTP. It is also secured from spoofing and replay attacks.

Backup and Restore Service

The backup and restore service enables users to back up DRM licenses and restore them from the backup to another computer. Backing up licenses enables the user to rebuild a computer or get a new computer without needing to reacquire all of the licenses that were on the old computer.

The number of computers to which licenses can be restored is limited. The count is verified with the online service as part of the license restoration process.

Indiv-IT Web Site

The Indiv-IT Web site lets the user initiate individualization manually. The ability to manually force individualization from the client is required because the current implementation of DRM does not enable a license server to force individualization directly. If a user tries to acquire content from a service that requires a higher version of the DRM component than the one installed on the user's computer, the user can be redirected to the Indiv-IT Web site.

About the Individualized DRM Component

The Windows Media® Format SDK includes a DLL known as the DRM component. This obfuscated DLL contains the code that is used to implement DRM features. The same version of the DRM component is installed on every computer that installs the SDK. When you load the DLL for the first time it generates a private/public key pair that will be used in DRM operations such as requesting licenses.

An individualized DRM component is one that has not only generated a unique private/public key pair, but one in which the DLL obfuscation has been customized so that the obfuscated DLL is unique to the computer. Every computer that has been individualized has a unique DRM component DLL file. This is called an individualized DRM component. An individualized DRM component is more secure than the standard DRM component because the DLL can be used only on the computer that was used during the individualization process.

Implementing Individualization in Custom Applications

This section describes how you should implement individualization in your custom application. For descriptions of the interfaces and methods, see the Windows Media® Format SDK documentation.

Getting Information About the DRM Component

Each DRM component has a version number associated with it (sometimes called the security version). For example, as of this writing, the Windows Media Format 9.5 SDK installs a DRM component with a security version of 2.3.0.0.

DRM-protected content is assigned a minimum individualized security version. The DRM client code will not attempt to play DRM content unless the DRM component security version is higher than or equal to the value in the content. In addition, content that has a minimum individualized security version set will play only if the DRM component is individualized, regardless of the version.

Getting the Security Version

A license server can get the security version of the DRM component DLL on a client computer by calling the IRMGetLicense::GetDRMSecurityVersion method. (See the Windows Media Rights Manager SDK documentation.) The version number contains four digits separated by periods, such as 2.3.0.1. The last digit indicates whether the machine had been individualized. If the last digit is odd, the computer has been individualized. If the last digit is even, the client is using the preinstalled DRM component, which is not individualized.

The following examples show how the security version is stored.

Security version Description
2.3.0.0 The computer has version 2.3 of the default DRM component installed, but it has not been individualized.
2.4.0.1 The computer has been individualized with version 2.4 of the individualized DRM component.

The version numbers assigned to the default DRM component installed with the Windows Media Format SDK are not the same as the version numbers assigned to individualized components. The version number of a DRM component that has not been individualized might be higher than the version number of the latest individualized DRM component. Because the numbers have different progressions, you should not compare the first two digits of a default DRM component with those of an individualized security requirement of protected content. If content has a minimum security requirement assigned to it, that version number refers to the versioning of the individualized DRM component.

You cannot access the security version installed on the computer by using the objects of the Windows Media Format SDK. Instead, the DRM components will compare the version of the DRM component with the required version set in the header of the protected file (the DRM_DRMHeader_IndividualizedVersion property described in the Windows Media Format SDK). If the installed version does not meet or exceed the requirement, the DRM components will generate a WMT_NEEDS_INDIVIDUALIZATION status event. An application should respond to that event by asking the user whether individualization should be performed.

You can get information about the latest individualized DRM component version by visiting the Windows Media Rights Manager Individualization Information page.

Determining When to Individualize

Your application can force individualization at any time by calling the IWMDRMReader::Individualize method of the Windows Media Format SDK. Some client applications individualize the DRM component during installation or enrollment.

You should trap the WMT_NEEDS_INDIVIDUALIZATION status message in your implementation of the IWMStatusCallback::OnStatus callback method. For example, this message is sent when the reader attempts to open a file that requires a newer version of the DRM component than is installed on the client computer.

You should also individualize the DRM component if your application uses Windows Media DRM 10 for Portable Devices and the installed version is earlier than 2.4. This is because individualization may be required during device synchronization, and the user might not monitor the synchronization progress. Individualizing the DRM component prevents having the user walk away from the computer after initiating device synchronization only to return and find an individualization verification message waiting. For more information about determining whether individualization is required for device synchronization, see the documentation for the Windows Media Device Manager SDK.

Displaying a Privacy Message

Individualization modifies the user's computer. For this reason, your application must display a message that explains what individualization does, and it must provide the user with the option not to individualize.

The following text is displayed in a dialog box by Windows Media Player 10 before it initiates individualization:

A security upgrade is required to play this file. Do you want to download this upgrade?

Upgrading may take a few minutes.

The dialog displayed by Windows Media Player also provides a link to a Web page with more information.

You must include a similar message in your application. Refer to the Windows Media Format SDK license agreement for more information about your obligations for getting user consent.

Initiating Individualization

You can initiate individualization by calling the IWMDRMReader::Individualize method provided by the Windows Media Format SDK. The DRM components contact the online service and complete individualization.

As mentioned in the previous section, you must inform the user and get consent before individualizing.

Individualization Status Messages

Individualization status is communicated to your application through your implementation of the IWMStatusCallback::OnStatus callback method. Each individualization status event is identified by the WMT_INDIVIDUALIZE member of the WMT_STATUS enumeration.

The data passed to OnStatus for individualization events is a WM_INDIVIDUALIZE_STATUS structure that contains information about the progress of the individualization procedure.

The OnStatus callback method is invoked under any of the following circumstances:

  • When individualization is initiated. In this case the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure is set to INDI_BEGIN.
  • When data has been received from the individualization server. For the Windows Media Format 9 Series SDK and earlier, the DRM components send a status message after receiving units of 64 kilobytes. If you are using the Windows Media Format 9.5 SDK, status is sent after receiving units of 4 kilobytes. In this case, the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure is set to INDI_DOWNLOAD.
  • When the data is downloaded and installation of the new DLL begins. In this case, the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure is set to INDI_INSTALL.
  • If network communications time out. For more information on network time-outs, see Individualization Time-out. In this case the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure is set to INDI_FAIL.
  • If a network error occurs. For example, the Internet connection might be reset, causing an ERROR_INTERNET_CONNECTION_RESET error code to be sent in a status message.
  • When individualization is successfully completed. In this case the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure is set to INDI_SUCCEED.
  • When the individualization is cancelled. In this case the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure is set to INDI_CANCEL.

Showing Individualization Progress

Because individualization can take up to several minutes, you should track and display progress. Your application will receive repeated WMT_INDIVIDUALIZE messages through your implementation of the IWMStatusCallback::OnStatus callback method. The pValue parameter of each message references a WM_INDIVIDUALIZE_STATUS structure that contains progress information. You can derive the percentage of individualization complete by using the following algorithm:

((WM_INDIVIDUALIZE_STATUS.dwHTTPReadProgress * 100) / WM_INDIVIDUALIZE_STATUS.dwHTTPReadTotal)

It is possible for the dwHTTPReadTotal member to be zero while the DRM components establish communications with the server. You should always check this value to avoid dividing by zero.

Individualization Time-out

If the DRM components do not receive any data from the individualization server for a span of time equal to a set value, the individualization will fail with an HRESULT code of 0x800C2EE2 (ERROR_INTERNET_TIMEOUT). This and all other error codes related to individualization are returned in the hr member of the WM_INDIVIDUALIZE_STATUS structure.

The value that specifies the time-out threshold depends on the version of the Windows Media Format SDK that you are using for your application.

The Windows Media Format 9 Series SDK and previous versions have a threshold of one hour. This value is not configurable.

The Windows Media Format 9.5 SDK has a default threshold of one minute. This value can be configured with the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\InternetReceiveTimeout registry setting. This setting is a REG_DWORD value that contains the time-out in milliseconds.

Another potential cause of Internet time-out is the connection time. If a minute passes during which the DRM components are unable to connect to the individualization server, you will get a time-out error. This threshold is not configurable.

Custom Time-out Logic

You can build a separate time-out routine into your application. You can track elapsed time in your implementation of the OnStatus callback or on a separate thread. After the elapsed time exceeds whatever limit you specify, cancel the individualization and either display an error message or prompt for a retry.

Canceling Individualization

To cancel the individualization process, call the IWMDRMReader::CancelIndividualization method at any time after calling IWMDRMReader::Individualize. The call to CancelIndividualization is asynchronous and will return immediately. When the cancellation is complete, the DRM components will set the enIndiStatus member of the WM_INDIVIDUALIZE_STATUS structure to INDI_CANCEL in a message sent to your implementation of the OnStatus callback.

The cancellation does not generate its own status message. Instead, the verification of the cancellation is included with the next message sent. For a list of the circumstances that generate messages, see Individualization Status Messages.

If, due to network issues, no data is received from the individualization service, you might not receive a message with the INDI_CANCEL status member until the time-out message is received. If you are using the Windows Media Format 9 Series SDK or an earlier version, the time-out interval is set to one hour, so your application might not receive this message before it is shut down.

Unexpected behavior may occur if you terminate the thread on which individualization is running while individualization is in process. You should always call the CancelIndividualization method to cancel individualization that is already in progress.

Implementing Individualization Retries

Your application should implement a retry mechanism to improve the success rate of individualization attempts. Individualization can fail because of network glitches. Retrying can often remedy this kind of error.

To retry, simply call IWMDRMReader::Individualize again after the prior attempt fails.

Your application should examine the error code generated by a failed individualization attempt before attempting a retry. In some cases, the error is caused by network configuration or connectivity. These types of errors are not likely to be overcome by a retry. For more information about individualization errors, see Error Code Reference.

If the error code does not rule out a retry, you should provide the user with information about the error and give the option to retry or to cancel.

When you call the Individualize method to start a retry attempt, you might get the NS_E_DRM_INDIVIDUALIZING error code. If this happens, you must release the IWMDRMReader interface and start over.

Logging Individualization Information

You should log information relevant to individualization attempts for use in troubleshooting. The log can be stored on the local computer or sent to a log server. It is recommended that your application store a local log file even if you collect logs on a server, in case there are connectivity issues.

The following information should be noted in any log files you create:

  • Start time and date as well as the duration of the individualization attempt
  • HRESULT value from the hr member of the WM_INITIALIZE_STATUS structure sent with the final WMT_INDIVIDUALIZE message to your OnStatus callback implementation
  • Operating system version
  • Version of the Windows Media Format SDK runtime (wmvcore.dll) on the client computer
  • DRM security version before individualization
  • Whether the client is connecting through a proxy
  • Proxy name (if the client connects through a proxy)

Individualization Network Issues

The networking operations involved in individualization are handled by the DRM components on the client computer. The issues listed in this section may cause problems during individualization.

Proxy Configuration

The client DRM components use the same proxy settings as Internet Explorer. They do not use the streaming proxy configurations set in Windows Media Player.

Proxy Authentication

The client DRM components do not support authentication. An individualization request might fail if a proxy server challenges the client for user credentials. This problem can be mitigated in one of two ways:

  • Prompt the user to configure Internet Explorer to enable automatic logon. The attempt may still fail if the proxy server requires credentials other than the current user account.
  • Use remoting technology such as ISA firewall client. This type of software passes credentials out of band.

Proxy HTTPS Support

The client DRM components use HTTPS to send the individualization request. If HTTPS is blocked by a proxy, individualization will fail.

Proxy Servers and SSL

The client DRM components use a certificate issued by a default trust certification authority to verify the Microsoft Individualization server. However, some "Web acceleration" proxy services do not allow a direct Secure Sockets Layer (SSL) connection between the client and server. Such a proxy service has one SSL session with the client and another SSL session with the server. In this case the proxy server's SSL certificate must be valid and trusted by a root authority that is registered in the user's certificate store. If the proxy server's certificate is not trusted by the user's root authority, individualization might fail. The DRM client components do not prompt the user to use untrusted or expired certificates. This may require the user to manually add the proxy's certificate authority (CA) certificate.

If possible, "Web accelerator" proxy services should be disabled to avoid these problems.

System Clock and SSL

If the time-of-day clock on the client computer is set incorrectly, certificates may appear to be expired. This can lead to SSL problems which can cause individualization to fail.

Certificate Revocation List Server

Windows networking components may contact a certificate revocation list (CRL) server to verify that certificates have not been revoked. This is part of the HTTPS protocol. Individualization can fail if there are problems accessing the CRL server.

Common Questions About Individualization

This section provides answers to some common questions about individualization. Some of the questions are about implementing individualization and others are intended to help provide information to users.

What Circumstances Can Trigger Individualization in Windows Media Player?

When using Windows Media® Player, individualization can be triggered by any of the following actions:

  • Attempting to play content with a security version rated higher than the DRM component version that is installed on the client computer.
  • Attempting to play protected content for which no license is present on the client computer. During the license acquisition process, the license server checks the security version of the DRM component installed on the client computer. If the license server requires the client to have a higher security version, it can redirect the client to the Microsoft Indiv-IT Web site or a similar site administered by another organization.
  • Attempting to restore licenses with a higher security version than the version of the DRM component installed on the client computer.

In addition to the preceding actions, Windows Media Player 10 also triggers individualization under several new circumstances:

  • Attempting to synchronize DRM content to a device with a security version rated higher than the DRM component installed on the client computer.
  • Attempting to play protected content with a chained license. License chaining is a new feature in Windows Media DRM 10 that is not backward compatible with previous versions of the DRM component.
  • Attempting to play protected content with a license that requires metering. Metering is a new feature in Windows Media DRM 10 that is not backward compatible with previous versions of the DRM component. Individualization is required in this case regardless of the required security version of the content, so even if the license for the file lists a lower security version, the new DRM component must be installed to support metering.

Can Individualization Be Forced?

A user can force individualization by visiting the Microsoft Indiv-IT Web site. This site uses an embedded Windows Media Player to play back content that requires the latest available security version. If the client computer does not have the latest version DRM component, the individualization process will start. The content used by this site is a file containing one second of silence; users should not assume that an error has occurred when no sound is played.

Why Does the Player Connect to Unfamiliar Web Sites When Playing Content?

The client DRM components sometimes attempt to connect to particular Web sites when performing certain DRM functions, including individualization. Most notably the following URLs might be accessed when attempting to verify certificates for certificate revocations:

The DRM components might connect to other URLs to verify certificates if required by certificates or licenses.

Some network communications to unknown sites that take place during DRM operations occur because of the Windows networking routines that the DRM component uses.

Can the DRM Component on a Computer Be Reset?

The client DRM component maintains all necessary DRM-related files and registries on the client computer. However, the DRM component might need to be reset in the following cases:

  • DRM files are corrupted or related registries have been modified incorrectly
  • To clear DRM files and settings from a computer for test purposes

Resetting, or cleaning, DRM components removes all licenses and some other DRM-related files from the computer. The DRM components are reverted to the state they were in after the Windows Media Format SDK redistributables were installed. Some online music stores, if they are configured on the computer, might stop working after a reset. Such services must be reinstalled to restore them to working order.

Microsoft can provide a command-line tool called CleanDrm.exe that resets DRM components. To get a copy of this tool, contact your Windows Media licensing representative. If an end user encounters corrupted or incorrectly configured files or registries, the problem should be fixed in coordination with the Microsoft support team. The CleanDrm.exe tool is not intended as a solution for general use.

How Long Does Individualization Take?

At the time of this writing, the package that is downloaded during individualization is about 250 kilobytes in size. To download it from the individualization server with a 56k dial-up modem can take over a minute. After it is downloaded, the installation should take only a few seconds.

Does a User Need an Administrator Account to Perform Individualization?

Individualization can be performed when the user is logged in as an administrator or as a normal user. A user cannot individualize while the computer is running under a guest account.

Can the Installation Directory Be Changed?

The client downloads the DRM component to the directory indicated by the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\DataPath registry value. By default, this value points to the %AllUserProfile% directory. It can be changed to any other directory for which the user has write access. You should make sure that the current user has write access to a directory before changing the value to that directory.

Microsoft recommends that the installation directory for DRM components should not be changed.

End users or administrators might customize a computer by moving the "All Users" directory to another path or partition. After changing the directory in this way, the DRM data path registry value should be changed accordingly. Otherwise, the client components will try to download the DRM individualized component to the old directory, which might no longer exist.

Error Code Reference

The following table lists the error codes that you might encounter during individualization along with a description and recommended action for each.

Error constant Error code Description and
recommended action
ERROR_DIRECTORY 0x8007010B The directory name is not valid.

You should display an error message in response to this error.

ERROR_FILE_CORRUPT 0x80070570 The file or directory is corrupted and unreadable.

You should display an error message in response to this error.

ERROR_INTERNET_CANNOT_CONNECT 0x800C2EFD The attempt to connect to the server failed.

When this error is returned, you should display an error message and prompt the user to check network connectivity.

ERROR_INTERNET_CONNECTION_ABORTED 0x800C2EFE The connection with the server has been terminated.

You should usually retry individualization in response to this error.

ERROR_INTERNET_CONNECTION_RESET 0x800C2EFF The network connection was reset. This error is returned when network connectivity is reset during the individualization process.

You should usually retry individualization in response to this error.

ERROR_INTERNET_INVALID_CA 0x800C2F0D The client computer does not recognize the Certificate Authority that generated the server's certificate. This error can occur when the client is using a proxy server and the proxy server creates one session between the proxy and the client and another session between the server and the proxy, instead of establishing a single session between client and server. It usually means that the certificate of the proxy server is not trusted by the user's root authority.

When this error is returned, you should display an error message and prompt the user to change the proxy settings or to install the certificate used by the proxy server.

ERROR_INTERNET_NAME_NOT_RESOLVED 0x800C2EE7 The server name could not be resolved. This could be because of an invalid proxy or because the DNS lookup failed.

You should usually retry individualization in response to this error.

ERROR_INTERNET_OPERATION_CANCELLED 0x800C2EF1 The individualization process was canceled by the user or by your application.

You should display a warning in response to this error.

ERROR_INTERNET_SEC_CERT_DATE_INVALID 0x800C2F05 The date of an SSL certificate is not valid. This error usually occurs because the system clock on the client computer is not valid.

When this error is returned, you should display an error message and prompt the user to check the system clock.

ERROR_INTERNET_SEC_CERT_REV_FAILED 0x800C2F19 The revocation of a security certificate failed.

You should display an error message in response to this error.

ERROR_INTERNET_TIMEOUT 0x800C2EE2 The request has timed out. For more information, see Individualization Time-out.

You should usually retry individualization in response to this error.

ERROR_INVALID_ACCESS 0x8007000C The client has been individualized too many times. There is a practical limit of 20 individualizations per DRM 10 client component. Further individualization attempts will fail.
NS_E_DRM_ALREADY_INDIVIDUALIZED 0xC00D2729 The client attempted to individualize even though the DRM component is already individualized.

When this error is returned, you should display a message to notify the user.

NS_E_DRM_BUSY 0xC00D2841 The DRM subsystem is locked by another application. Try again later.

When this error is returned, you should display an error message and prompt the user to close all other Windows Media–based applications or restart the computer.

NS_E_DRM_CHECKPOINT_FAILED 0xC00D277F The license store or related configuration is corrupted. This secure store protection error only occurs in rare circumstances.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_CLINET_CODE_EXPIRED 0xC00D2847 The application is expired. This error occurs when the user is running a version of client software that has an expiration date, such as a beta version of a media player application.

When this error is returned, you should display an error message and prompt the user to install a current version of the software.

NS_E_DRM_ENUM_LICENSE_FAILED 0xC00D271B License storage is not working.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_ERROR_BAD_NET_RESP 0xC00D275E The specified server cannot perform the requested operation.

You should display an error message in response to this error.

NS_E_DRM_INDIV_SERVICE_UNAVAILABLE 0xC00D2845 The individualization server is not available. Try again later.

You should display an error message in response to this error.

NS_E_DRM_INDIVIDUALIZATION_INCOMPLETE 0xC00D274C A problem occurred during the individualization process. Try again later.

You should display an error message in response to this error.

NS_E_DRM_INDIVIDUALIZING 0xC00D272C Another individualization attempt is in progress. Only one attempt can be active at a time. The attempt in progress may be stalled.

When this error is returned, you should display an error message and prompt the user to close all other Windows Media–based applications or restart the computer.

NS_E_DRM_INVALID_APPLICATION 0xC00D2711 A problem has occurred in the DRM components.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_INVALID_SECURESTORE_PASSWORD 0xC00D2751 A problem has occurred in the DRM components.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_LICENSE_STORE_ERROR 0xC00D2712 License storage is not working.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_SECURE_STORE_ERROR 0xC00D2713 Secure storage is not working. If you are using a pre-release version of the Windows Media Format 9.5 SDK you should upgrade to the final version, which contains a bug fix related to this error.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_SECURITY_COMPONENT_SIGNATURE_INVALID 0xC00D2760 The individualization process resulted in an incorrectly signed component.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_DRM_UNABLE_TO_INITIALIZE 0xC00D271D A problem has occurred in the DRM components. If you are using a pre-release version of the Windows Media Format 9.5 SDK you should upgrade to the final version, which contains a bug fix related to this error.

When this error is returned, you should display an error message and contact Microsoft product support.

NS_E_ERROR_FROM_PROXY 0xC00D2EE4 The client DRM components received a proxy server error.

You should display an error message in response to this error.

NS_E_INSUFFICIENT_DATA 0xC00D00CA This error usually indicates that the DRM component was obtained from the individualization server, but that an error occurred when communicating with the crypto server.

You should usually retry individualization in response to this error. If this error is consistently generated, you should contact Microsoft product support.

NS_E_OFFLINE_MODE 0xC00D0BCA The DRM components were unable to connect to the network because it is in the offline state.

When this error is returned, you should display an error message and prompt the user to activate the network connection.

NS_E_PROXY_TIMEOUT 0xC00D2EE5 The proxy server timed out.

You should usually retry individualization in response to this error.

NS_E_SERVER_ACCESSDENIED 0xC00D2EFB The server is preventing access. This may be due to credentials.

You should display an error message in response to this error.

NS_E_SERVER_UNAVAILABLE 0xC00D2EE6 The client connected to the server, but the server is unable to respond.

You should display an error message in response to this error.

NS_E_WMP_SERVER_INACCESSIBLE 0xC00D1198 The DRM components could not connect to the server. This error usually indicates that the server is not available or that the proxy server does not allow HTTPS.

You should display an error message in response to this error.

TRUST_E_CERT_SIGNATURE 0x80096004 The signature of the certificate cannot be verified.

You should display an error message in response to this error.

Troubleshooting Individualization

If your customer reports an individualization issue, you should check the items listed in this section, based on the error code. These are among the most common causes of problems with individualization. You can use these items when handling customer support calls.

Network Connectivity and Proxy Settings

Verify that the user is connected to the Internet during the individualization process.

If the user is using a proxy server, you should verify that it is properly configured. To work properly, the proxy server should:

  • Not block HTTPS
  • Require authentication
  • Use an untrusted certificate for SSL communications with the client

To identify these issues more easily, you can set up an HTTPS Web site using a certificate issued by a trusted root certification authority, which is installed on the user's computer by default. The user should not see any authentication dialog or untrusted certificate dialog pop-ups when accessing this Web site.

Installation Path

Verify that the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\DataPath registry value is set to %AllUserprofile%. If the registry value is set to another directory, the user might have moved the "All users" directory to a different location and the old DRM directory might no longer exist.

Permissions

Verify that the user has read/write permission for the directory and files located in the installation path.

Disk Space

Verify that the user has enough space on the hard disk to perform the individualization process. The actual amount of space required for individualization varies with versions of the individualized component. You should verify that the disk has at least one megabyte of free space.

User Account

Verify that the user is not logged in with a guest account. Individualization should not be initiated if the computer is running under a guest account.

System Clock

Verify that the system clock on the user's computer is set correctly.

For More Information