- DRM Overview
- Certificate Enrollment Guide
- Adobe Primetime DRM SDK 5.3.1
- DRM Quick-Start Guide
- Adobe Primetime Cloud DRM Quick-Start Guide
- What is included with Primetime Cloud DRM
- What is NOT supported by Primetime Cloud DRM
- Prerequisites
- Packaging options
- Test the packaged content
- Triaging errors
- Custom authentication/entitlement
- Adobe Primetime authentication (Optional)
- Creating custom DRM policies (Optional)
- Update existing DRM content to use Cloud DRM (Optional)
- Streaming to Xbox360 (Optional)
- Using the Adobe Primetime DRM Key Server
- Adobe Primetime DRM Secure Deployment Guidelines
- Multi-DRM Workflows
- Multi-DRM Workflows
- Primetime DRM Cloud Quick-start
- Workflows: Package, License, and Play
- Multi-DRM Workflow for FairPlay
- Multi-DRM Workflow for Widevine and PlayReady
- Package your content with Bento4
- Package your content with Adobe Offline Packager
- Using Output Protection Policies
- Client Key Request workflow overview
- Expressplay tokens
- Key request workflow on Android PSDK
- Key request workflow on HTML5 TVSDK
- Device Binding
- Generic Workflows
- Feature Topics
- ExpressPlay license token request / response reference
- Migrating from Access to Multi-DRM
- Glossary
- Adobe Primetime DRM On Premises Individualization Server Guide
- Primetime DRM Server for Protected Streaming 5.3.1
- About Adobe Primetime DRM Server for Protected Streaming
- About usage rules
- Requirements
- Understanding Deployment
- Deploying the Adobe Primetime DRM Server for Protected Streaming
- Java system properties
- About Adobe Primetime DRM credentials
- HSM configuration
- Setting up the License server configuration files
- Crossdomain DRM policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Primetime DRM Server for Protected Streaming
- Running the DRM Server for Protected Streaming
- Packaging content
- DRM Server for Protected Streaming utilities
- Using the Adobe Primetime DRM SDK for Protecting Content - 5.3.1
- What is new in Adobe Primetime DRM
- Usage rules and Authentication
- Runtime and application restrictions
- Allow list for Primetime DRM applications allowed to play protected content…
- Allow list for Adobe® Flash® Player SWFs
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak enforcement (requires Adobe Primetime DRM)
- Other DRM policy options
- Device Group Domain Registration
- Output protection controls
- Packaging Options
- Setting up the SDK
- Work with DRM policies
- Package media files
- Pre-generating and embedding licenses
- Implement a License Server
- Overview
- License Server deployment options
- Process Adobe Primetime DRM requests
- Handle Get Server Version requests
- Handle Domain Registration requests
- Handle Domain De-Registration requests
- Handle License Return requests
- Handle authentication requests
- Handle license requests
- License chaining
- Handle synchronization requests
- Handle FMRMS compatibility
- Handling certificate updates when Adobe-issued certificates expire
- Performance tuning
- Revoke client credentials
- Create video players
- Resolution-Based Output Protection 5.3.1
- Adobe Primetime DRM Reference Implementations 5.3.1
- About the reference implementations
- Typical workflow
- Command-line tools
- Configure and run the command-line tools
- DRM Media Packager
- DRM Policy Update List Manager
- DRM Revocation List Manager
- DRM License Generator
- DRM License Embedder
- AIR Publisher ID utility
- License server
- Configuration
- Deploy the license server
- Troubleshooting
- Check whether the license server started properly
- Determining if Reference Implementation License Server runs properly
- Implementing the usage models
- Domain registration
- Migrate from FMRMS 1.0 or 1.5 to Adobe Primetime DRM 2.0 or later
- Upgrade existing deployments
- Adobe Primetime TVSDK-DRM Workflow
- TVSDK-DRM client-side workflow overview
- Primetime DRM content protection options
- Primetime DRM on the client
- Primetime DRM license server
- License acquisition process overview
- License acquisition process details
- Pre-loading licenses for offline playback
- Using the DRMStatusEvent class
- Using the DRMAuthenticateEvent class
- Using the DRMErrorEvent class
- Using the DRMManager class
- Using the DRMContentData class
- Out-of-band licenses
- Device domain support
- License preview
- Delivering content
- DRM Client Error Message Reference
- Using Adobe Access DRM With an External Key Management System
- Use the Adobe Access Server for Protected Streaming
- About Adobe Access Server for Protected Streaming
- Usage rules
- Requirements
- Deploying the Adobe Access Server for Protected Streaming
- License server configuration files
- Crossdomain policy file
- Custom authorization extensions
- Performance tuning
- Upgrading the Adobe Access Server for Protected Streaming
- Updating configuration files
- Packaging content
- Adobe Access Server for Protected Streaming utilities
- Adobe Access Secure Deployment Guidelines
- Introduction to Network Topology
- Vendor-specific security information
- Physical security and access
- Packaging and protecting content
- Protect and issue licenses
- Consuming locally generated CRLs
- Consuming CRLs published by Adobe
- Generating CRLs to supplement those published by Adobe
- Rollback detection
- Machine count when issuing licenses
- Replay protection
- Maintain an allow list of trusted content packagers
- Timeout for authentication tokens
- Overriding policy options
- Pre-generating licenses
- Managing Domains
- An Overview of Adobe Access SDK
- Using the Adobe Access SDK for Protecting Content
- Introduction
- User authentication
- Time-based rules
- Runtime and application restrictions
- Allow list for Adobe® Primetime applications allowed to play protected content
- Allow list for Adobe® Flash® Player SWFs allowed to play protected content
- Block list of DRM Clients restricted from accessing protected content
- Block list of application runtimes restricted from accessing protected content
- Minimum security level for DRM and runtimes
- Device capabilities required to play protected content
- Jailbreak Enforcement (requires Adobe Primetime)
- Other policy options
- Output protection controls
- Packaging Options
- Setting up the SDK
- Working with policies
- Packaging media files
- Pre-generating and embedding licenses
- Implementing the License Server
- Processing Adobe Access requests
- Processing Adobe Access requests
- Using machine identifiers
- User authentication
- Replay protection
- Rollback detection
- Global server configuration data
- Crossdomain policy file
- Handling Get Server Version requests
- Handling Domain Registration requests
- Handling Domain De-Registration requests
- Handling License Return requests
- Handling authentication requests
- Handling license requests
- Handling license requests
- Generating licenses
- License chaining
- Enhanced License Chaining
- Issuing Domain-bound licenses
- Issuing licenses for remote key delivery to iOS clients (requires Adobe Primetime)
- Minimum Client Version
- License preview
- Identity-based licenses
- Revoking client credentials
- Creating video players
- Adobe Access Reference Implementations
- Overview - Using the reference implementations
- Command line tools for packaging content and creating revocations lists
- Policy Manager
- Media Packager
- Policy Update List Manager
- Revocation List Manager
- AIR Publisher ID utility
- License Generator
- License Embedder
- License server and watched folder packager
- License server and watched folder packager overview
- Requirements
- Building the license server
- Configuration
- Server properties files
- Preparing passwords for the Server properties files
- License server properties file
- Packager properties file
- Watched folder properties
- Setting up the database and configuring the JNDI datasource
- HSM configuration
- Crossdomain policy file
- Deploying the license server and watched folder packager
- Determining if Reference Implementation License Server is running properly
- Implementing the usage models
- Implementing domain registration
- Migrating from FMRMS 1.0 or 1.5 to Adobe Access 2.0 and above
- Upgrading existing deployments
- Set up a domain server
- Flash Access Manager AIR application usage
DRM Client Error Message Reference
The DRM Client errors are a subset of the TVSDK client-side errors, with the DRM-related errors codes ranging from 3300 to 3399.
DRM Client Errors
| Error Code | Mnemonic | Remedy |
|---|---|---|
| 3300 | Invalid Voucher | What the distributor’s software should do:
|
| 3301 | Authentication Failed | The server failed to authenticate or authorize the client.
|
| 3302 | RequireSSL | For Primetime DRM 4.0 and above, this error is thrown on iOS when the remote key URL does not use HTTPS as the scheme. HTTPS is required.
|
| 3303 | ContentExpired | The content you are viewing has expired according to the rules set by the content provider. subErrorId contains a client-specific error or line error.
If possible, customers should check the policy that they used during packaging to see whether it has expired. The Java command line tool is:
|
| 3304 | AuthorizationFailed | The current user is not authorized to view content. Login as a different user. For more information about this error code, see Error code 3301. |
| 3305 | ServerConnectionFailed | The connection to the license or domain servers timed out, either due to network delay or the client being offline. Generally, subErrorId contains the HTTP return code.
|
| 3306 | ClientUpdateRequired | The current client cannot complete the requested action, but an updated client might be able to complete the request. This can have several causes:
If the issue occurs because the metadata version is higher than version 2, the issue is probably corrupted metadata. They can try rebuilding the metadata and looking at the results. If they continue to see the problem, log the issue and escalate to Adobe. For more information about this error code, see How to remedy a 3306 DRMErrorEvent Error code. |
| 3307 | InternalFailure | This generally represents a bug in Primetime DRM code and is unexpected, unless there’s a known bug, as below.subErrorId contains a client-specific error or line error.
|
| 3308 | WrongLicenseKey | This error is thrown whenever the license being used contains the wrong key to decrypt the content. The subErrorIdcontains a client-specific error or line error. There seems to be only two ways of generating this error:
|
| 3309 | CorruptedAdditionalHeader | This will occur if the header is larger than 65536 bytes.
|
| 3310 | AppIDMismatch | Application is not allow listed. Android, iOS, or Flash SWF. subErrorId: 1000942; Error playing protected stream. FAXS error. It is also possible that the client is reporting an empty string for pubID (app Publisher ID). Android: The Android application does not match the one in use. Bear in mind that the directory for the debug keystore in Android is often different than the directory for the release keystore. iOS: See the Allow list your iOS application documentation in the TVSDK iOS guide. |
| 3312 | LicenseIntegrity | Download the license from the server again. |
| 3313 | WriteMicrosafeFailed | This issue occurs when the system cannot write to the file system. subErrorIdcontains a client-specific error or line error. On Microsoft Windows, error 3313 might be thrown by Active X or NPAPI plug flash player when the encrypted content has a licenseID or a policyID that is too long. This is because of the maximum path length in Windows. (Pepper plugin doesn’t have this problem.)
|
| 3314 | CorruptedDRMMetadata | This error often indicates that the content was packaged with test PKI certs, and the player is built with production PKI, or vice versa. The subErrorId contains a client-specific error or line error.
|
| 3315 | PermissionDenied | There are known bugs in which this error code might be thrown when a 3305 is intended. For more information, see Error code 3305. A remote SWF loaded by AIR is not allowed to access Primetime DRM functionality. This error code can also be thrown if a security error occurs during network access. Examples include the destination server does not the client to connect by usingcrossdomain.xml, or the crossdomain.xmlis not reachable. For more information, see DRM error 3315 possible root cause and resolution. |
| 3317 | AAXS_LoadAdobeCPFailed | Important: This is a rare error and usually does not occur in a production environment. If the error does occur, you can do one of the following:
|
| 3318 | IncompatibleAdobeCPVersion | Important: This is a rare error and usually does not occur in a production environment. If the error does occur, you can do one of the following:
|
| 3319 | MissingAdobeCPGetAPI | Important: This is a rare error and usually does not occur in a production environment. If the error does occur, you can do one of the following:
|
| 3320 | HostFailed | Important: This is a rare error and usually does not occur in a production environment. If the error does occur, you can do one of the following:
|
| 3321 | I15nFailed | The process of provisioning the client with keys failed. The subErrorId contains a client-specific, server-specific or line error.
Note: Error 3321:1090519056 might happen with Flash Playerversions 11.1 to 11.6. We recommend that you upgrade to the latest Flash Player version. For more information, see DRM error 3321 Causes & Resolution. |
| 3322 | DeviceBindingFailed | The device does not appear to match the configuration that was present when initialized. subErrorId contains a client-specific or line error. The distributor’s software should complete one of the following tasks:
To resolve this issue, the developer should remove the older build from the device before installing the new build.
If the error occurs frequently, escalate to Adobe. You must notify Adobe whether resetting license store did (or did not) solve the problem and tell Adobe on which browsers the error is occurring. For more information, see the following articles:
|
| 3323 | CorruptGlobalStateStore | Files used by the DRM client have been modified unexpectedly. The subErrorIdcontains a client-specific or line error.
|
| 3324 | MachineTokenInvalid | The license server might not be able to connect to the Certificate Revocation List (CRL) server to refresh its CRL files, or the client machine is requesting a license/authentication that has been revoked by the license server. In the server logs, an Error code 111 isMachineTokenInvalid. However, at the client level, Error code 111 is translated to Error code 3324. The DRM license server adminitrator should check whether the customer’s license server has ever been able to retrieve the Adobe CRL files. If the customer is using Tomcat, the customer can check the tomcat/temp/ directory to see whether there are 4 .CRL files.
If the CRL files are not available or have expired, you must confirm whether the license server can be reached. Open a network sniffer (e.g., Charles or Wireshark) on the customer’s license server, restart the server, and have a client attempt to request a license from the server. You can observe the network traffic to see whether calls to the following URL endpoints are successful: Note: You can also enter the following CRL URLs in a browser to see whether you can manually download each file.
Note: An error might occur when a large number (or a burst) of clients report a 3324 error to a temporary network issue when renewing a CRL file. When the network issue was resolved, the 3324 issues were also resolved. If all 4 of the CRL files exist in thetomcat/temp/ directory, and clients are still getting 3324 errors, there might be file access issues to the CRL files. To resolve this issue, you might want to review the logs and purge the existing CRL files. If there are no server issues, prompt the user to reset as described in Error code 3322. |
| 3325 | CorruptServerStateStore | Files used by the DRM client have been modified unexpectedly. The subErrorIdcontains a client-specific or line error.
|
| 3326 | StoreTamperingDetected | The License store has been tampered with or corrupted and can no longer be used. The distributor’s software should guide the user to reset in the same way as described in Error code 3322. |
| 3327 | ClockTamperingDetected | Fix the clock or acquire a Authn/Lic/Domain license again. |
| 3328 | ServerErrorTryAgain | This is a server-side error where the server was unable to complete the request from the client. This error can occur when, for example, the server is busy, HTTP/500, the server does not have the needed key to decrypt the request, and so on. On the client, there is no way to determine what went wrong. The customer must review the Primetime DRM server log (usually called AdobeFlashAccess.log), to determine what went wrong. There is always a very descriptive stack trace in the log to indicate the problem. The subErrorId contains a server-specific or line error. The distributor should look at server logs to identify which server is sending this error. For 3328 errors that have a sub-error code 101, the server cannot decrypt the request. The customer must validate that the license / transport server certificates that are installed on the license server match and correspond with the certificates that is used during packaging. In addition, if customers are using the Reference Implementation, they must ensure that there are no typos in theflashaccessrefimpl.properties file where the primary and additional certificates are specified. |
| 3329 | ApplicationSpecificError | The application-specific sub-error code is not known to Primetime DRM. The subErrorId contains a server-specific error from the publishers customized license server. The server returned an error in the application-specific namespace. |
| 3330 | NeedAuthentication | This error occurs when the content is configured to ask clients to authenticate before getting the licenses.
|
| 3331 | ContentNotYetValid | The acquired license is not yet valid. To resolve this issue, check whether the client clock is not set correctly. To set the client clock, repackage the content or modify the license server configuration. |
| 3332 | CachedLicenseExpired | Acquire the license from the server again. |
| 3333 | PlaybackWindowExpired | You must notify users that they cannot play this content till the policy expires. |
| 3334 | InvalidDRMPlatform | This platform is not allowed to playback the content because, for example, the content provider has configured Primetime DRM to deny content to Primetime DRMon a platform or a shared domain-bound license is bound to a shared domain token that is meant for a different partition. CDM might throw this error if content was not packaged by using an appropriate (CDM feature gated) packager certification. For more information, see CDM Feature Gating. If the content is packaged with an incorrect PHDS/PHLS certificate, the content might work in Chrome but not other browsers (or vice versa). Note: This is because Chrome uses different PHDS/PHLS certificates. To confirm which certificate is being used, dump the details of the content metadata and look for the recipient certificates. |
| 3335 | InvalidDRMVersion | To resolve this issue, complete one of the following tasks:
|
| 3336 | InvalidRuntimePlatform | This platform is not allowed to playback the content because, for example, the content provider has configured Primetime DRM to deny content to FP/AIR on a platform. |
| 3337 | InvalidRuntimeVersion | This occurs if the content or the server is configured to deny playback to a particular version of the Flash or AIR runtimes.
|
| 3338 | UnknownConnectionType | Unable to detect the connection type, and the policy requires you to turn on Output Protection. This issue is expected only if the content is packaged to require digital or analog output protection. An issue in versions of Flash Player older than version 11.8.800.168 caused error 3338 to occasionally occur on content for which the policy indicated that content protection is USE IF AVAILABLE. This issue has been fixed in version 11.8.800.168 and later.
|
| 3339 | NoAnalogPlaybackAllowed | Unable to play back on analog device. To resolve the issue, connect a digital device. |
| 3340 | NoAnalogProtectionAvail | Unable to play back content because the connected analog external display device (monitor/TV) does not have the correct capabilities (for example, the device does not have Macrovision or ACP). |
| 3341 | NoDigitalPlaybackAllowed | Unable to play back content on a digital device. |
| 3342 | NoDigitalProtectionAvail | The connected digital external display device (monitor/TV) does not have the correct capabilities. For example, the device does not have HDCP. |
| 3343 | Internal Error | This error is currently known to happen initially after a new version of Flash is released. It occurs because Flash upgraded while Flash was open, which puts Flash in a bad state until browser restarts.
|
| 3344 | MissingAdobeCPModule | Part of Flash or AIR was not installed correctly. To resolve this issue, complete one of the following tasks:
|
| 3346 | Migration failed | The distributor’s software should do one of the following:
|
| 3347 | InsufficientDeviceCapabilities | The primary meaning of this error is that the license has a constraint which the clients’ DRM certificate indicates it cannot satisfy. The following “hardware capabilities” are defined when the clients DRM certificate is issued:
The distributors can update the policies and remove the restrictions. For device capability policies, issue the policy update command with the - devCapabilitiesV1flag and no arguments. For jailbreak enforcement setpolicy.enforceJailbreak=false. |
| 3348 | HardStopIntervalExpired | The hard stop interval has expired. |
| 3349 | ServerVersionTooHigh | The server is running at a version that is higher than the highest version that is supported by client. |
| 3350 | ServerVersionTooLow | The server is running at a version that is lower than the minimum version that is supported by client. |
| 3351 | DomainTokenInvalid | Domain token was invalid. To resolve this issue, register with the domain again. |
| 3352 | DomainTokenTooOld | The domain token is older than the token that is required by the license. To resolve the issue, register with the domain again. |
| 3353 | DomainTokenTooNew | The domain token is newer than the token that is required by the license. |
| 3354 | DomainTokenExpired | The domain token has expired. |
| 3355 | DomainJoinFailed | The domain join has failed. |
| 3356 | NoCorrespondingRoot | A root license for a V3 leaf license was not found. |
| 3357 | NoValidEmbeddedLicense | No valid embedded license was found. |
| 3358 | NoACPProtectionAvailable | Cannot play back because the connected analog device does not have ACP protection. |
| 3359 | NoCGSMAProtectionAvailable | Cannot play back because connected analog device does not have CGMSA protection. |
| 3360 | DomainRegistrationRequired | Content requires domain registration. |
| 3361 | NotRegisteredToDomain | The machine is not registered to the domain for the specified metadata. |
| 3362 | OperationTimeoutError | The asynchronous operation took longer than the configured maxOperationTimeout. Note: This error code is only returned by the iOS DRMNative Framework. |
| 3363 | UnsupportedIOSPlaylistError | The M3U8 playlist contains unsupported content, or is missing a required #EXT-X-FAXS-CM DRM Metadata object. Note: This error code is only returned by the iOS DRMNative Framework. |
| 3364 | NoDeviceId | The framework requested the device ID, but the returned value was empty. The framework requested the device ID, but the returned value was empty. In Chrome browser setting, the user should not select the Allow identifiers for protected content check box. |
| 3365 | IncognitoModeNotAllowed | This browser/platform combination does not allow DRM-protected playback in Incognito mode. The distributor’s software should advise the user to exit Incognito mode or use a different browser. For more information, see DRM error 3365 cause and resolution. |
| 3366 | BadParameter | The host runtime called the Primetime DRM library with a bad parameter. |
| 3367 | BadSignature | The M3U8 manifest signing has failed. Note: This error code is only returned by the iOS DRMNative Framework or AVE. |
| 3368 | UserSettingsNoAccess | The user cancelled the operation or has entered settings that disallow access to the system. This error is only thrown in SWF version 19 or later. For backward compatibility, Error code 3321 is thrown for SWF version 18 or earlier. The distributor’s software should guide the user to an explanation of how to allow unsandboxed plugin access. For more information, see Google Chrome’s unsandbox access denied and DRM Error 3322/3346/3368 in Chrome (Info-Bar Problems). |
| 3369 | InterfaceNotAvailable | A required browser interface is not available. This issue occurs only on Pepper. There could be a mismatch between the Flash plugin and the browser version. The distributer’s software should guide the user to ensure that they have the latest version of the browser installed. If the incidences of this error are increasing, and they correspond to a browser update being released,escalate to Adobe. |
| 3370 | ContentIdSettingsNoAccess | The user has disabled the Allow identifiers for protected content setting. Note: This error appeared with Pepper versions 13.0.0.x or greater. The distributor’s software and / or operations team should guide the user to enable the Allow identifiers for protected content setting. For more information, see https://forums.adobe.com/message/6518323#6518323. |
| 3371 | NoOPConstraintInPixelConstraints | Malformed resolution based on output protection constraints in the license. The distributor’s software should display an error message. Ask user to report the problem to the distributor with a content title. The distributor should repackage content with a valid policy. |
| 3372 | ResolutionLargerThanMaxResolution | The content’s resolution is larger than the maximum resolution that is specified in the output-protection constraint. If the distributor’s operations team sees this error in their logs, they should review the resolution-based output protection policy, and if necessary, repackage the content. For more information about resolution-based output protection, see About Resolution-Based Output Protection. |
| 3373 | DisplayResolutionLargerThanConstrain | The content’s resolution is larger than the resolution that is specified by the currently active output-protection constraint. If the distributor’s operations team sees this error in their logs, they should review the resolution-based output protection policy, and if necessary, repackage the content. For more information about resolution-based output protection,see About Resolution-Based Output Protection. |
| 3374 | ClientCommProcessFailed | Failed during client-side communication processing, for example, request generation, response processing, bad auth token, and so on. |
Suberror Code Mapping for 3328
| SubError | Description |
|---|---|
| 100-1000 | Reserved by Adobe’s License Server |
| 10000 - 20000 | Reserved by Adobe’s Individualization Server |
| 20100-21000 | Reserved for the Adobe Xbox keyserver. Errors in this range map to the general Primetime DRM Server SDK Error Message Reference as follows: Xbox keyserver error = DRM Server Error + 0x20000 For example, Xbox Keyserver Error 20202 is equivalent to DRM Server SDK Error 202 |
| 100xxxx | Reserved for Client sub error codes |
On this page
Resources
Adobe Account
Change region
Copyright © 2021 Adobe. All Rights Reserved.
