none
Issues with Azure Information Protection + RMS Connector + Exchange 2016 Integration RRS feed

  • Question

  • Please note - all URLS have been obfuscated in this post for anonymity and because my account is not able to post URL's yet. (hence the [://])

    I am experiencing issues with Connecting my Azure Information Protection P2 subscription to on-premises services using the RMS connector.

    I have load balanced 3 RMS Connector servers with HTTPS as per AIP documentation here:

    https[://]docs.microsoft.com/en-us/azure/information-protection/install-configure-rms-connector


    I have performed all prerequisite checks and manually applied registry edits on Exchange 2016 servers (running on Server 2012 R2 so Cryptographic Mode 2 req is innately met) as per the documentation here:

    https[://]docs.microsoft.com/en-us/azure/information-protection/configure-servers-rms-connector#configuring-an-exchange-server-to-use-the-connector

    We have never deployed AD-RMS

    I am able to classify and protect content with the AIP Powershell cmdlets on-prem and use the AIP Scanner.  I have configured enabled AADRMSuperUser with a service account ServiceAIP which is the account being used to attempt the set-IRMConfiguration -InternalLicensingEnabled $True and failing.



    When I attempt to run Set-IRMConfiguration -InternalLicensingEnabled $True I get an error on the Exchange server application logs:


     Set-IRMConfiguration 
       -InternalLicensingEnabled "True" 
       mydomain.com/my/directory/path/ServiceAIP
       S-1-5-21-1234567890-1234567890-1234567890-12345 
       S-1-5-21-1234567890-1234567890-1234567890-12345 
       Remote-ManagementShell-Unknown 
       34024 w3wp#MSExchangePowerShellAppPool 

       123 
       00:00:00.0156248 
       View Entire Forest: 'False', Default Scope: 'mydomain.com', Configuration Domain Controller: 'DC.mydomain.com', Preferred Global Catalog: 'DC2.mydomain.com', Preferred Domain Controllers: '{ DC2.mydomain.com }' 
       System.Exception: Server was unable to process request. ---> Attempted to perform an unauthorized operation. ---> Failed to get Server Info from https[://]rmsconnector.mydomain.com/_wmcs/certification/server.asmx. ---> Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https[://]rmsconnector.mydomain.com/_wmcs/certification/server.asmx. ---> System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Attempted to perform an unauthorized operation. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] requests) at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath) --- End of inner exception stack trace --- at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.ValidateRmsVersion(Uri uri, ServiceType serviceType) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.ValidateForEnterprise(IRMConfiguration config) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.InternalValidate() --- End of inner exception stack trace --- at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl) at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.InternalValidate() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed) 
       7 
       Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https[://]rmsconnector.mydomain.com/_wmcs/certification/server.asmx. ---> System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Attempted to perform an unauthorized operation. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] requests) at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath) --- End of inner exception stack trace --- at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.ValidateRmsVersion(Uri uri, ServiceType serviceType) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.ValidateForEnterprise(IRMConfiguration config) at Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration.InternalValidate() 
       NonLocalizedException 
       False    
       0 objects execution has been proxied to remote server. 
       0 
       ActivityId: 9bf100f0-7f7b-43e9-b90e-aada8237bad2 
       ServicePlan:;IsAdmin:True; 
       en-US 

    When I run Test-IRMConfiguration -sender username@mydomain.com I get the following response in the Exchange Console:

    Results : Checking Exchange Server ...
                  - PASS: Exchange Server is running in Enterprise.
              Loading IRM configuration ...
                  - PASS: IRM configuration loaded successfully.
              Retrieving RMS Certification Uri ...
                  - PASS: RMS Certification Uri: https[://]rmsconnector.mydomain.com/_wmcs/certification.
              Verifying RMS version for https[://]rmsconnector.mydomain.com/_wmcs/certification ...
                  - WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
              hotfixes specified in Knowledge Base article 973247
              (http[://]go.microsoft.com/fwlink/?linkid=3052&kbid=973247) or AD RMS on Windows Server 2008 R2.
              ----------------------------------------
              Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from
              https[://]rmsconnector.mydomain.com/_wmcs/certification/server.asmx. --->
              System.Web.Services.Protocols.SoapException: Exception of type 'System.Web.Services.Protocols.SoapException'
              was thrown. ---> Microsoft.RightsManagementServices.Online.Exceptions.ServiceIsDisabledException:  --->
              Exception of type 'Microsoft.RightsManagementServices.Online.Exceptions.ServiceIsDisabledException' was
              thrown.
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message,
              WebResponse response, Stream responseStream, Boolean asyncCall)
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
                 at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[]
              requests)
                 at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String
              featureXPath)
                 --- End of inner exception stack trace ---
                 at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String
              featureXPath)
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri,
              ServiceType serviceType)
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
              ----------------------------------------
              OVERALL RESULT: PASS with warnings on disabled features

    Going over to the RMS Connector Server which took the above Test-IRMConfiguration request, I get an Error 3000


    - System 
      - Provider 

       [ Name]  Microsoft RMS connector 
       [ Guid]  {26626A79-0CB5-4238-BF8C-256EBB71764C} 

       EventID 3000 
       Version 0 
       Level 2 
       Task 0 
       Opcode 0 
       Keywords 0x8000000000000000 
      - TimeCreated 
       [ SystemTime]  2019-07-10T16:02:39.346749800Z 
       EventRecordID 4638 
       Correlation 
      - Execution 
       [ ProcessID]  2964 
       [ ThreadID]  5324 
       Channel Application 
       Computer RMSSERVER1.mydomain.com 
      - Security 
       [ UserID]  S-1-5-82-2584107188-3089786307-1128142335-783482534-2100853389 

    - EventData 
      message Exception of type 'System.Web.Services.Protocols.SoapException' was thrown. ---> Microsoft.RightsManagementServices.Online.Exceptions.ServiceIsDisabledException: ---> Exception of type 'Microsoft.RightsManagementServices.Online.Exceptions.ServiceIsDisabledException' was thrown. 
      stackTrace at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.AadrmConnector.WebService.AadrmClient.Server.GetServerInfo(ServerInfoRequest[] requests) at Microsoft.AadrmConnector.WebService.LicensingServer.GetServerInfo(ServerInfoRequest[] requests) 




    Any help would be greatly appreciated here.



    • Edited by nickwaits Wednesday, July 10, 2019 4:44 PM formatting
    Wednesday, July 10, 2019 4:41 PM