Acrobat + Microsoft Information Protection (MIP) - Double Key Encryption (DKE)

Signaler · Jun 12, 2023

We just applied Microsoft Double Key Encryption (DKE), with a corresponding Sensitivity label. It works fine with Word and the MS Unified Labeling Client / Viewer. However, when trying to open a DKE-labelled file with Adobe Acrobat Pro, we get the error attached ("Double Key Consumption is Disabled").

No documentation whatsoever anywhere about this message. Google says "no results found".

By reverse-engineering (text search) the binaries of Acrobat and the libraries of the plug-ins (mip_protection_sdk.dll, mip_core.dll, mip_upe_sdk.dll), it seems to me that the libraries themselves support double key encryption. The basic Microsoft Dotnet API seems to have a "flighting" feature to enable it (https://learn.microsoft.com/it-it/dotnet/api/microsoft.informationprotection.flightingfeature).

The question is if Adobe Acrobat has a kind of flag somewhere (Windows registry? maybe at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown) to enable this.

Any ideas anyone?

Many thanks in advance!

Kind regards

Thanos S.

Could you please advise how we can enable the possibility to view DKE-labelled files in Acrobat? Thanks

Signaler · Feb 17, 2025

Hello, i had the same issue and this was the solution:
Suggestions:
1. double-check on registry setting as given in link (bEnableDKEAdmin set to 1)
https://helpx.adobe.com/in/enterprise/kb/mpip-support-acrobat.html#setup-requirements-double-key-enc...
2. Also add Acrobat application client id in your DKE setup on Azure portal (portal.azure.com)
NOTE-More specifically Microsoft has suggested to do step 13 under section “Register your key store” on following link
>https://learn.microsoft.com/en-us/purview/double-key-encryption-setup#register-your-key-store

>You need to add Acrobat clientIds in those steps (Point a). That should permit AAD to issue tokens to your apps.
1. Acrobat Client id: "97bd680b-f203-4917-a342-308a3de4094a"

Voir la solution dans l'envoi d'origine

Signaler · Jun 13, 2023

Hi @Athanassios25384468b2r5 ,

Moving this thread to the Acrobat community for further assistance.

Signaler · Jul 19, 2023

Hi! I'm very keen on hearing about DKE integration with Adobe. Where can I follow the discussion and latest updates from the Adobe side?

Signaler · Jul 20, 2023

I haven't heard anything new. Adobe Enterprise Support reported

Hi Admin,

Greetings from the Adobe Enterprise Support team!
As informed after checking with product experts, we only support MIP. Currently DKE is not supported by Acrobat / Reader

Signaler · Nov 24, 2023

Hi,

are there any news about this?
Is DKE still not supported?

Signaler · Oct 30, 2024

found this one in the documentation... but it doesnt work for me.. 😞
https://helpx.adobe.com/enterprise/kb/mpip-support-acrobat.html#setup-requirements-double-key-encrpy...

Signaler · Nov 01, 2024

Hi @ivo_6417,

Hope you are doing well. Thanks for writing in!

When you mention not working for you, any specific error you see when trying to use MPIP?

It would help us understand the issue better and assist with proper troubleshooting steps.

Can you ensure that the Double Key Encryption is set up for the user using the steps mentioned here: Set up Double Key Encryption (DKE) | Microsoft Learn?

Look forward to hearing from you.

-Souvik

Signaler · Dec 11, 2024

Yes i got this Error:
Error 2024-12-11 12:58:21.680 double_key_protection_request_transformer.cpp:93

MSRMSPIBroker (8476) "DoubleKeyProtectionRequestTransformer::CreateReplayRequest - Double key feature is disabled Failed with: [InternalError: 'Unrecognized exception']"

mipns::DoubleKeyProtectionRequestTransformer::CreateReplayRequest

3040

Signaler · Dec 11, 2024

and everything with MIP and DKE in our Enviroment worked fine... i can open every PDF with the AIP Viewer...
Just issues with Adobe Acrobat

Signaler · Dec 11, 2024

Thanks, @ivo_6417, for the details.

Any possibilities of sharing Fiddler logs with us?

More info available here: How to collect a network trace | Microsoft Learn

-Souvik

Signaler · Dec 12, 2024

yes i can do... what format would you like? i can not upload saz files here..
https://file.io/8I9cvfRZ6tSu

Signaler · Dec 12, 2024

Thanks, @ivo_6417,

That works. Let me take this up with the team and get back to you.

-Souvik

Signaler · Dec 16, 2024

Hi @ivo_6417,

An update: We have logged a ticket for the team to investigate further.

I will keep you updated through the thread with further info as and when I get it.

Thanks,
Souvik

Signaler · Dec 16, 2024

@ivo_6417, Would you mind sharing MIP logs with us?

To share MIP logs:

Turn on Registry: HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\MicrosoftAIP

"bEnableLogging"=dword:00000001
Log path: "C:\Users\<username>\AppData\Local\Microsoft\RMSLocalStorage\msrmsLog.txt"

MIP SDK log: ( "C:\Users\<username>\AppData\Local\Microsoft\RMSLocalStorage\mip\logs\mip_sdk.miplog"

Also, try the same with Sandbox mode off ( Preferences -> Security(Enhanced) -> Turn off Enable Protected Mode at startup). Restart Acrobat and try.

Look forward to hearing from you.

-Souvik

Signaler · Dec 18, 2024

Hey @S. S i generated Log Files today and uploaded here: https://file.io/lZrlyPliV19M

Signaler · Dec 18, 2024

if i disable potected Mode i got a diffrent error message:

Signaler · Dec 18, 2024

@ivo_6417

Thanks! Forwarded this to the devs for investigation.

-Souvik

Signaler · Jan 07, 2025

any News?

Signaler · Jan 13, 2025

Hi @ivo_6417,

This is in progress.

Since it's a relatively new feature in Acrobat, the team is still investigating it, and updates about it should be available soon.

I'll check on this with the team and get back to you at the earliest.

-Souvik

Signaler · Dec 19, 2024

I do not get the exact same error, however we see the warning: "Double key consumption is disabled"
We've worked through the setup guide: https://helpx.adobe.com/enterprise/kb/mpip-support-acrobat.html#setup-requirements-double-key-encrpy... without any resolution - same warning with all registry keys enabled, except the Sovereign Cloud key.

Any input is welcome.

// Extensive experience with Microsoft Double Key Encryption

Signaler · Jan 19, 2025

Hi @Martin G R,

Hope you are doing well. Sorry for the trouble.

Would you mind sharing the below info:

Please share the screenshot of registry setting.
Please create and share logs as mentioned in following steps:
Turn Sandbox mode off: ( PreferencesàSecurity(Enhanced)àTurn off Enable Protected Mode at startup).

Clear MIP credentials:
Preferences-> Security-> Microsoft Purview Information Protection-> Clear remembered account information

Exit Acrobat
Set Registry for MIP logging:
1. Turn on Registry: HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\MicrosoftAIP
2. "bEnableLogging"=dword:00000001
Start screen recording.
Launch Acrobat. Apply Double key encryption label. Exit Acrobat
Share the following items:
1. Screen Recording
2. Zip the folder for logs: C:\Users\<username>\AppData\Local\Microsoft\RMSLocalStorage
3. registry screenshot from Point 1 above

-Souvik

Signaler · Jan 20, 2025

Hi
I will do that asap. Meanwhile, someone in Microsoft forums mentioned that it's only available for paid versions of Adobe - is that the case?

// Extensive experience with Microsoft Double Key Encryption

Signaler · Feb 03, 2025

@Martin G R This shouldn't be the case.

I checked the help article and it has mentions of both Acrobat and Acrobat Reader.

Please share the details asked, and we can check better at our end.

Thanks,

Souvik

Signaler · Feb 17, 2025

Hello, i had the same issue and this was the solution:
Suggestions:
1. double-check on registry setting as given in link (bEnableDKEAdmin set to 1)
https://helpx.adobe.com/in/enterprise/kb/mpip-support-acrobat.html#setup-requirements-double-key-enc...
2. Also add Acrobat application client id in your DKE setup on Azure portal (portal.azure.com)
NOTE-More specifically Microsoft has suggested to do step 13 under section “Register your key store” on following link
>https://learn.microsoft.com/en-us/purview/double-key-encryption-setup#register-your-key-store

>You need to add Acrobat clientIds in those steps (Point a). That should permit AAD to issue tokens to your apps.
1. Acrobat Client id: "97bd680b-f203-4917-a342-308a3de4094a"

Signaler · Feb 18, 2025

Way to go Adobe! This (bEnableDKEAdmin set to 1) worked for me and I can finally open DKE-protected PDFs in Adobe Acrobat!