none
Error Configuring Federation Gateway on RMS

    Question

  • When I try and federate with the Microsoft federation gateway on RMS I get the following error message

    Error: AD RMS was unable to authenticate to Microsoft Federation Gateway. The following soap fault has been received from Microsoft Federation Gateway:

    <s:Fault xmlns:s="http://www.w3.org/2003/05/soap-envelope">

      <s:Code>

        <s:Value>s:Sender</s:Value>

        <s:Subcode>

          <s:Value>fm:BadDomainProof</s:Value>

        </s:Subcode>

      </s:Code>

      <s:Reason>

        <s:Text xml:lang="en">Invalid Domain proof certificate

    </s:Text>

      </s:Reason>

      <s:Detail>

        <psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">

          <psf:value>0x80049800</psf:value>

          <psf:internalerror>

            <psf:code>0x80044d03</psf:code>

            <psf:text>The CRL agent failed to retrieve the full CRL.

    '' </psf:text>

          </psf:internalerror>

        </psf:error>

      </s:Detail>

    </s:Fault>

    I am using a Go Daddy certifcate and the SAN name contains the name of my external and external URL

    Wednesday, September 12, 2012 8:50 AM

All replies

  • The CRL agent failed to retrieve the full CRL.

    Seems to me that you cannot download the associated CRL. Can you check whether you can dowload the CRL mentioned in CRL Distribution Points extension in ADFS certificate?

    Regards

    Martin

    Wednesday, September 12, 2012 1:13 PM
  • Hi Martin

    Thanks for the reply, I did check this the CRL distribution point is

    http://crl.godaddy.com/gds1-76.crl

    I can access and download the file.

    Thanks

    Ben


    Ben Skinner

    Wednesday, September 12, 2012 1:21 PM
  • Did you check

    http://technet.microsoft.com/en-us/library/878e9550-5966-40f3-862c-7ea309ddb0ed#mfg_support

    especially check if the certificate is issued by Go Daddy Class 2 Certification Authority and check if the SSL certificate contains a subject alternate name (SAN), the last entry in the SAN list must be the fully qualified domain name of the domain you want to enroll with the Microsoft Federation Gateway.

    Martin

    Wednesday, September 12, 2012 1:31 PM
  • Hi Martin,

    Yes I have checked most of the articles.

    Can you help me with that comment, what is the last SAN name? So if my server was called rms@contoso.com and my internal is rms@contoso.local is the last San name rms@contoso.com or contoso.com?

    Thanks again

    Ben


    Ben Skinner

    Wednesday, September 12, 2012 1:39 PM
  • If you check the certificate you will find something called Subject Alternative Name (SAN) in the extensions. This should include the DNS name you are using when you are connecting to the RMS server. So this can be rms.contoso.com. And if you have multiple domain names in the SAN then the rms.contoso.com should be the last one.

    Martin

     
    Wednesday, September 12, 2012 1:52 PM
  • Martin,

    Thanks for the answer, we are talking to Go daddy as they append a www dns entry at the end of the certificate. I will update once I have cleared this up.

    Thanks

    Ben


    Ben Skinner

    Thursday, September 13, 2012 7:36 AM
  • Hi Martin

    Apologies for the delay Go Daddy took a while to get back to us, then it got escalted etc etc.

    I have a San Certificate now that has the right DNS entry at the bottom of the certificate and we still get the same error as before.

    I have escalted to MS as well.

    <s:Fault xmlns:s="http://www.w3.org/2003/05/soap-envelope">

      <s:Code>

        <s:Value>s:Sender</s:Value>

        <s:Subcode>

          <s:Value>fm:BadDomainProof</s:Value>

        </s:Subcode>

      </s:Code>

      <s:Reason>

        <s:Text xml:lang="en">Invalid Domain proof certificate

    </s:Text>

      </s:Reason>

      <s:Detail>

        <psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">

          <psf:value>0x80049800</psf:value>

          <psf:internalerror>

            <psf:code>0x80044d03</psf:code>

            <psf:text>The CRL agent failed to retrieve the full CRL.

    '' </psf:text>

          </psf:internalerror>

        </psf:error>

      </s:Detail>

    </s:Fault>


    Ben Skinner

    Tuesday, September 18, 2012 7:14 AM
  • Microsoft are still investigating the issue

    Ben Skinner

    Monday, September 24, 2012 10:09 AM
  • Ben,

    Any chance you were able to get this resolved?

    Thanks!

    Tuesday, June 25, 2013 7:21 PM