How to debug for AES encrypted stream in Azure Media Services

Here is some tips to help you debug your stream while configuring AES dynamic encryption in Azure Media Services. Please leave your questions if you don’t find it covered below so I could add yours. I intend to introduce tools to help you easily diagnostic your problem, however, all these steps introduced below can be achieved using APIs as well.

Before going into any of the step below, please double check whether you have at least 1 streaming reserved unit configured. You will need that to proceed with dynamic encryption. The following picture shows the correct setting under Streaming Endpoint tab in your media account:


If you try to ping a dynamic encryption URL without 1 RU configured, you are expected to get 404 for your URL.

1. How to check whether my stream is AES encrypted?

The easiest way is to open your manifest (I am taking Smooth Streaming manifest as an example), and check whether protection header this tag is included. Paste your streaming URL into the browser URL windows, it will prompt you which application you want to open the URL with, choose IE, or notepad. If you see <protectionheader> tag in the manifest like below, your video file is encrypted:



You could also ping the key URL in browser as highlighted above. If you set Open authorization policy on AES key, you will see a 128 bits key shows in browser. If you set Token authorization on your key, then if you ping this key URL directly, you will get 403 error code, which is expected.

2. It says “Custom” under encryption tab in the portal when I set encryption through APIs. Did I do anything wrong?

Probably there isn’t anything you did wrong. When you set Dynamic Encryption through portal, it will apply AES or PlayReady encryption based on your choice onto all streaming protocol (DASH, HLS and Smooth Streaming), and display Dynamic Encryption (Clear Key or PlayReady) under protection column. However, when you set policy through APIs, if there is no single encryption set across all streaming protocols, portal will display “Custom” this message. This is very common that you may set AES on HLS protocol and PlayReady on Smooth Streaming protocol. There is nothing wrong with your setting, but portal just doesn’t have support to display this kind of policy.

Here is another tool I introduce to help you investigate what kind of delivery policy you set on your asset:

Azure Media Explorer Tool: the binary install file is located at
Once you installed this tool, you could browse through your media library. And choose an asset you want to inspect, Right click on the asset and choose display information. Under Delivery Policies tab, you will see all policies that you configured for that asset:


For my asset displayed above, you can see I have one policy configured called “myAssetDeliveryPolicy” and I configured Envelope Encryption (which refers to AES) onto Smooth Streaming and HLS protocols. Since I don’t have DASH configured, it shows Custom in the protection tab.

You could also easily add more delivery policy using this tool. Remember for one particular protocol, there could be one type of encryption method configured. Simply right click on asset, and choose add delivery policy under security tab.

3. Which player should I use to test my AES encrypted Stream?

iOS and Android (native): Safari browser natively supports the decryption of AES encrypted HLS stream, if you set key authorization policy as open. Things get a little tricky if you want to use token authentication with AES encrypted HLS stream, please see my blog to see the workaround.

Flash: Microsoft shipped a Flash OSMF plugin to handle AES encrypted Smooth Streaming for both token and open policy. Here is a link you could test your stream with Another easier way to use Azure Media Services Explorer Tool by right click on your asset, select “playback the asset” and choose “Flash player with token”. You will see both streaming URL and test token are sent to the player as parameter and you could test your stream easily.

DASH: Microsoft shipped Azure Media Player which handles AES encrytped Smooth Streaming with/without token. Please use to test your stream.

4. How could I get a test token to test my stream?

This could be easily achieved using Azure Media Services Explorer. Right Click on the asset, and choose security-> Get test token. You will see a windows pop up like this:


And click on Generate Test token, then the token will be copied into clipboard for you to use. Please note that by default, the token will be expired in an hour from the moment you created, but you can modified End date/time to get token expired earlier or later. Lastly, if you are using asymmetric key, you will need to upload cert in order for this tool to compose token for you.

Please let me know if you have any questions configuring AES dynamic encryption in Azure Media Services. Thanks.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.