locked
Error: Cannot configure IRM (Word 2010) RRS feed

  • Question

  • Hello,

    First I set up a lab using Windows Server 2012 AD RMS & Windows 8. I rights protected a Word 2010 document. Then I could open it as expected in Windows 8 (Server 2012 and Windows 8 are in same domain).

    But when I set up AD RMS under Server 2008 R2 (under a different domain) and tried to open the same rights protected document  under Windows 7 I get this error:
    "Cannot configure your computer for Information Rights Management at this time." (by Word 2010).

    Is this expected behaviour? Does anyone know why exactly I'm getting that error? Can anyone point me in the right direction as to how to resolve this?

    I've registered the Rights Management SCP. I can also succesfully rights protect other documents. But I can't open the rights protected document I created using Server 2012 AD RMS & Windows 8 (Word 2010).

    I've googled the problem but can't seem to find an answer. Found this earlier thread: http://social.technet.microsoft.com/Forums/en-US/officeitproprevious/thread/15d64e0a-30d7-42f8-bdfc-1bb23e5276a7

    But can't find a solution in that thread or the referred article.

    Thanks in advance for any help :-)

    Edit:

    Oh, I think there needs to be a trust relationship between my two AD RMS domains... I see I can import an XML for that. Then I get a signature mismatch. I think because of the different AD Certification Authorities?

    • Edited by Wieger1983 Monday, December 17, 2012 2:44 PM see "Edit"
    Monday, December 17, 2012 2:21 PM

Answers

  • Hi,

    just to be more specific on your setup: Are both RMS installation in the same Active Directory forest? Or just in different domains in the  same forest?

    If you have different forests please see here: http://technet.microsoft.com/en-us/library/cc747685(v=WS.10).aspx

    Further I assume that you have two RMS cluster URLs? One for the 2012 RMS and one for 2008 R2. Am I right? Which one is configured for the SCP?

    Have you installed 2012 with mode 1 or 2? I assume 2008 R2 is encryption mode 1.

    Here a URL about RMS trusts. http://technet.microsoft.com/en-us/library/dd772677(v=WS.10).aspx

    Not sure where the Certificate Authority comes here into the picture. but the SSL certificates on the RMC cluster URLs should be trusted from each client.

    Regards,

    Lutz

    Monday, December 17, 2012 3:21 PM
  • Hi.

    I did not see anything about AD RMS trust between AD RMS Windows AD DS trust is not enough, you must deploy TUD trust or TPD to make a multiple forest scenario to work (please note you need ACL changes too and if group expansion would be needed you will need also to edit exoriginatorforest too).

    Regards.

    Cristian

    Tuesday, January 8, 2013 2:06 AM

All replies

  • Hi,

    just to be more specific on your setup: Are both RMS installation in the same Active Directory forest? Or just in different domains in the  same forest?

    If you have different forests please see here: http://technet.microsoft.com/en-us/library/cc747685(v=WS.10).aspx

    Further I assume that you have two RMS cluster URLs? One for the 2012 RMS and one for 2008 R2. Am I right? Which one is configured for the SCP?

    Have you installed 2012 with mode 1 or 2? I assume 2008 R2 is encryption mode 1.

    Here a URL about RMS trusts. http://technet.microsoft.com/en-us/library/dd772677(v=WS.10).aspx

    Not sure where the Certificate Authority comes here into the picture. but the SSL certificates on the RMC cluster URLs should be trusted from each client.

    Regards,

    Lutz

    Monday, December 17, 2012 3:21 PM
  • Thank you, LutzMH. Learned some more about AD RMS. Though I still can't figure out what is wrong.

    To answer your questions:

    The AD RMS installations are in same subnet, but in different forests. And I indeed have two RMS cluster URLs both of which have an SCP configured in their own forest.

    I've also established a two-way forest trust between them. Thought it would make things easier. But the error hasn't gone away. Though it does state it does not trust the certificate. Imported it into the Trusted Root Certification Authority store but keeps saying it does not trust the certificate.

    Thanks also for pointing out to the difference in Cryptographic Modes. I'm using Cryptographic Mode 2 now on both Server 2012 and 2008 R2. Before you pointed this out I was using Cryptographic Mode 1 on Server 2008 R2 and Cryptographic Mode 2 on Server 2012.

    To change the Cryptographic Mode I followed this one: http://technet.microsoft.com/en-us/library/hh867439(v=ws.10).aspx

    Had to create a PSDrive for RMS too & install the appropriate Hotfix for 2008 R2 to be able to support the newer cryptographic mode.

    I also followed this guide which did not bring about any change: http://technet.microsoft.com/nl-nl/library/cc755110(v=ws.10).aspx#BKMK_S1

    Anyone has any clues for me?

    For example, it seems like I cannot just install the certificate which Word 2010 asks me to install (it's the certificate from where the document was created and rights protected).

    Tuesday, December 18, 2012 2:59 AM
  • Hi,

    I learned that you use SSL certificates, each certificate for each of your two RMS cluster URLs.

    If you access your the RMS server with https://rms.forest1.com and https://rms.forest2.com do you get a SSL warning or is this all good?

    Thank you,

    Lutz

    Tuesday, December 18, 2012 6:03 PM
  • You're right, I got an SSL warning which I ignored (clicked Yes a couple of times to continue, using Word 2010). But I've now resolved that. Imported the certificate (of the root CA in my other forest into the Trusted Root certificate store) and can visit both the RMS URLs in my browser & in Word 2010 without any warnings. But I still get the error: "Cannot configure your computer for Information Rights Management at this time." (Word 2010).



    Tuesday, December 18, 2012 7:49 PM
  • I've tried some troubleshooting via this guide (client-side tracing): http://social.technet.microsoft.com/wiki/contents/articles/7700.ad-rms-troubleshooting-client-side-tracing-en-us.aspx

    The debugger returned something like this:

    [4824] [msdrm]:+DRMGetServiceLocation uServiceType = DRM_SERVICE_TYPE_CERTIFICATION,uServiceLocation = DRM_SERVICE_LOCATION_ENTERPRISE
    [4824] [msdrm]:CHttpBase::DispatchRequest returned hr:8004cf44,ErrorCode=500 when hitting Url=https://labserver1.lab.local/_wmcs/licensing/ServiceLocator.asmx with Post size=781
    [4824] [msdrm]:Response Url=https://labserver1.lab.local/_wmcs/licensing/ServiceLocator.asmx
    [4824] [msdrm]:CHttpBase::DispatchRequest returned hr:8004cf44,ErrorCode=500 when hitting Url=https://labserver1.lab.local/_wmcs/licensing/ServiceLocator.asmx with Post size=773
    [4824] [msdrm]:Response Url=https://labserver1.lab.local/_wmcs/licensing/ServiceLocator.asmx

    I found the name of the error: E_DRM_SERVER_ERROR (0x8004CF44) (found that here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb204613(v=vs.85).aspx

    The HTTP-error (ErrorCode=500) means "Internal Server Error" which is also not real helpful.

    Wednesday, December 19, 2012 6:53 AM
  • Hi,

    is lab.local your Win2012 and Win8 environment? And the RMS protected document is from the 208R2/Win7 environment?

    Do you see the authentication error in the IIS logs on the RMS server as well? So if the document was protected from the 2008R2 RMS server on this server?

    Please verify also if this applies to you as well: http://blogs.technet.com/b/rmssupp/archive/2011/10/04/office-2010-users-receive-an-quot-an-unexpected-error-has-occurred-quot-while-trying-to-irm-protect-content.aspx

    Good luck,

    Lutz

    Wednesday, December 19, 2012 5:53 PM
  • My client is: Windows 8, though on Windows 7 same error occurs. Lab.local is a Server 2012. My other domain is in a different forest, same subnet, but using Server 2008 R2. The document was protected first using Server 2012's AD RMS (Cryptographic Mode 2) and a Windows 8 client, in Word 2010. Then I installed AD RMS on my 2008 R2 root domain.

    About the mentioned link with the hotfix: I downloaded it earlier but apparently it was not applicable to me.

    I don't get any error when visiting this URL in my browser: https://labserver1.lab.local/_wmcs/licensing/ServiceLocator.asmx

    Though I do get this is in my IIS log (lab.local):

    #Software: Microsoft Internet Information Services 8.0
    #Version: 1.0
    #Date: 2012-12-22 06:11:46
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
    2012-12-22 06:11:46 <my-internal-ip> POST /_wmcs/licensing/ServiceLocator.asmx - 443 - <my-internal-ip> Windows+Rights+Management+Client - 500 0 0 375
    2012-12-22 06:11:46 <my-internal-ip> POST /_wmcs/licensing/ServiceLocator.asmx - 443 - <my-internal-ip> Windows+Rights+Management+Client - 500 0 0 120
    2012-12-22 06:12:44 <my-internal-ip> GET /_wmcs/licensing/ServiceLocator.asmx - 443 - <my-internal-ip> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) - 200 0 0 227
    2012-12-22 06:12:59 <my-internal-ip> GET /_wmcs/licensing/ServiceLocator.asmx op=FindServiceLocationsForUser 443 - <my-internal-ip> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3) https://labserver1.lab.local/_wmcs/licensing/ServiceLocator.asmx 200 0 0 78
    2012-12-22 06:26:00 <my-internal-ip> POST /_wmcs/licensing/ServiceLocator.asmx - 443 - <my-internal-ip> Windows+Rights+Management+Client - 500 0 0 62
    2012-12-22 06:26:00 <my-internal-ip> POST /_wmcs/licensing/ServiceLocator.asmx - 443 - <my-internal-ip> Windows+Rights+Management+Client - 500 0 0 109
    Apparently a POST-request returns an internal server error and a GET-request returns no error (200 = OK).



    • Edited by Wieger1983 Saturday, December 22, 2012 6:35 AM ip
    Saturday, December 22, 2012 6:34 AM
  • Hi.

    I did not see anything about AD RMS trust between AD RMS Windows AD DS trust is not enough, you must deploy TUD trust or TPD to make a multiple forest scenario to work (please note you need ACL changes too and if group expansion would be needed you will need also to edit exoriginatorforest too).

    Regards.

    Cristian

    Tuesday, January 8, 2013 2:06 AM