AD RMS Error 139 RRS feed

  • Question

  • Hi,

    i get Error 139 in AD RMS when I try to protect a word document with RMS.

    I checked connectivty of client and server, also I checked nslookup on client and server.

    When I open ADSIEdit and go to CN=Services,CN=Configuration,DC=domain,DC=com, there is CN=RightsManagementServices and then CN=SCP, but no other entries. Is something wrong with my Configuration?

    Hope you can help

    Thursday, February 13, 2014 10:40 AM

All replies

  • Hi Orothred -

    The error code implies an issue with the connection between the RMS server and the domain controllers.  Can you check the following?

    -Ensure that the AD RMS service account has read access to AD DS

    • -Check network connectivity to the AD DS global catalog servers
    • -Open TCP port 3268 on global catalog servers
    • -Check if Lightweight Directory Address Protocol (LDAP) connection pool registry overrides are correct
    • -Restart the AD RMS server


    Micah LaNasa

    Synergy Advisors


    Friday, February 14, 2014 5:31 PM
  • The AD RMS service account is in the Enterprise Admin Group

    Everything with the connection to the AD DS is correct

    /edit: I added the AD RMS service account to the domain admin group, but same error. Here is the complete error:

    Active Directory Rights Management Services (AD RMS) failed to query Active Directory Domain Services (AD DS).

    Parameter Reference
    Context: Pipeline[CertificationPipeline._GetPrincipalIdentifier]
    RequestId: {6efb0ab7-77be-4eb8-8b4b-dc14f4a0cb8c}.3:1
    principal: id=S-1-5-21-3469809867-2352968437-3096282086-26368
    desiredIdentifier: primarymail
    result: null

            Message: Failed to find an entry in the Active Directory: id=S-1-5-21-3469809867-2352968437-3096282086-26368.
            Context: CertificationPipeline._GetPrincipalIdentifier
            principal: id=S-1-5-21-3469809867-2352968437-3096282086-26368
            desiredIdentifier: primarymail
            result: null

    I have no access to the AD DS-Servers, so I cannot check any configurations there

    • Edited by Orothred Monday, February 17, 2014 12:00 PM
    Monday, February 17, 2014 8:26 AM
  • Hi Orothred -

    Does the user who is trying to protect content have the email address attribute populated in Active Directory?


    Micah LaNasa

    Synergy Advisors


    Monday, February 17, 2014 5:05 PM
  • No, it wasn´t. I created mailboxes for my testusers.

    Now I get the following error, when I want to protect a word-document using a Windows Account:

    "A problem occurred while contacting the restricted permission service. Please try again later or contact your administrator for more details".

    I can ping the RMS Server from my Test Client. The firewall on the RMS Server is disabled.

    Any ideas?

    /edit: Maybe this was a problem with some wrong IPv6-DNS-entries, we fixed this. Now I get Error 139 again. E-Mail-Addresses are populated for the test users.

    • Edited by Orothred Wednesday, February 19, 2014 9:29 AM
    Wednesday, February 19, 2014 8:48 AM
  • No ideas?
    Monday, February 24, 2014 8:46 AM
  • Does IRMCheck show that your email attribute is set:

    (note: IRMCheck gives some invalid data with anything newer than Office 2010)

    The AD Cache database takes a while to refresh if you just added those attributes.

    Friday, February 28, 2014 7:45 PM