The Issue: Opening the Active Directory Rights Management Services Console fails with the following error.
You cannot access the AD RMS administration service at this time.

The IIS error log reports an IIS 500 error.

Going to the certification URL fails with HTTP Error 500, error code 0x80070542. This error code is the crucial clue, as it maps to ERROR_BAD_IMPERSONATION_LEVEL (Either a required impersonation level was not provided, or the provided impersonation level is invalid).

The Cause: The IIS_IUSRS group needs the "impersonate a client after authentication" user right. In some cases the AD RMS server has this right managed by a group policy. 

The Resolution: Grant that right to IIS_IUSRS.
Once the user right is properly granted (and applied if group policy) do an "iisreset" on the RMS server. This should resolve the issue.

The AD RMS console error:



The Internet Explorer error and corresponding IIS log error:




The before and after samples of the "impersonate a client after authentication" user right