RMS stopped. Users told "only documents created in a signed application can be opened in a signed application"
I hope you can help and that this is the right forum.
We have a RMS 1.0 sp1 server which has stopped working.
Users get "only documents created in a signed application can be opened in a signed application" when trying to protect a document in word or Outlook, and are unable to open previously protected documents.
C:\Users\username\Local Settings\Application Data\Microsoft\DRM - only has the one file in it which is DRM-Machine. the .eul .CLC and .Gic files are missing from this folder.
The server running the rms has an event id 82. " the callers machine certificate has a certificate chain that is not valid"
I ran an irmcheck on the local machine which showed " No user Certificate"
I can connect to the rms server urls , both licensing and certificate with no errors and IE shows the zone to be local intranet.
Can anyone see what my problem might be and suggest why the workstations are not getting their certs and allowed protection? What else should I be checking?
it seems the server itself and Windows is still working but not the RMS service. am I correct?
Have you recently renewed the Server Licensor Certificate? It had to be renew every year till MS announced to issue it for 7150 days. (That should give you enough time to migrate to something newer. lol)
SLC validity extended to 7150 days - http://support.microsoft.com/kb/2853958
Thank you for the information. The licensor certificate is set to expire on 26/06/2033, the validity period is 365 days and 15 minutes for temporary certificates.
The current RMS Service Connection Point certification URL is http://<servername>/_wmcs/Certification/Certification.asmx
Everything worked well until the beginning of last week when users progressively lost the ability to protect documents with the error "only documents created in a signed application can be opened in a signed application"
This is a citrix server environment if it matters.
I struggling to work out whether its the server side or the client side. I think its the server side but I don't know enough wrms to be able to troubleshoot further to find the cause. It would be nice to know what the server event id 82. " the callers machine certificate has a certificate chain that is not valid" means.
As far as I can tell the client creates a DRM-Machine cert which is rejected by the server and no further certs are passed to the client to process documents.
Any further advise would be gratefully recieved.
- Edited by alsoran1 Monday, December 02, 2013 9:31 AM repeated url
Had the exact same problem as you and same environment with Citrix servers. It even started at the same time. However, upgrading to RMS SP2 solved the problem. Just make sure you backup everything before you start the uppgrade process. SP2 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=14329.
Hope this solves your problem as well.
Here is the answer which resolved my situation, I hope it helps yours.
Guybrush-Threepwood I've marked your post as helpful as we had installed SP2 but it was not installed correctly and installing correctly was part of the solution.
Client began seeing the error:
“Only documents created in a signed application can be opened in a signed application”
On the server we were getting events:
“The callers machine certificate has a certificate chain that is not valid”
Servers running RMS before SP2 can no longer get a valid Server Licensor Certificate.
1. Install RMS v1 SP2 from:
2. Locate and then click the following key in the registry.
For the enrollment URL on x86 versions of Windows Server 2003:
For the enrollment URL on x64 versions of Windows Server 2003:
3. On the Edit menu, point to New, and then click String value.
4. Type EnrollmentURL, and then press Enter.
5. On the Edit menu, click Modify.
6. Type https://activation.drm.microsoft.com/enrollment/enrollservice.asmx, and then click OK.
7. On the Edit menu, point to New, and then click String value.
8. Type CloudGicURL, and then press Enter.
9. On the Edit menu, click Modify.
10. Type https://certification.drm.microsoft.com/certification/certification.asmx, and then click OK.
11. Go into the RMS Web interface and renew the SLC
but our case if totally different as our instance is installed with RMS SP2 5.2.3790.243 and there is also another SP2 5.2.3790.340. In 243 instance this solution is not working. We cant upgrade to 340 as it asks to uninstall. Another node installed with 340 we cant join to cluster as error occur saying version is different. We don't know how to go about this. Even upgradation to ARMS not supported from version 243. Call is still open with MS Support.