none
Issues with RMS and OWA exchange 2010 Error: NeedsGroupIdentityActivation RRS feed

  • Question

  • Hi All,

    I am facing an issue with RMS that is driving me crazy.We have deployed RMS server in out existing Exchange 2010 SP3 RU4 environment and only thing that is not working properly is OWA. No matter what OS or browser we use, users always receive same error when trying to open protected message:

    "The message you tried to open is protected with Information Rights Management. The Rights Management server isn't available to open this message. Try opening the message again. If the problem continues, contact your helpdesk.
     Show details

    Error: NeedsGroupIdentityActivation
    Code: UnknownFailure"

    When I try to send message from OWA I can see and I can apply "Do Not Froward" template but when I clcikc button "Send" I receive an error "A problem occurred while you were trying to use your mailbox." 

    What is interesting is that RMS works without issues in Outlook 2010.

    What I have so far:

    RMS server is Windows 2012 exchange servers are all 2008R2 all fully patched.

    Test-IRMConfiguration reports PASS on all checks.

    FederationMailbox is a member of SuperUsers,

    FederationMailbox and Exchange Servers have access to ServerCertification.asmx

    OWA VirtualDirectory has IRM enabled

    InternalLicensingEnabled is $true in IRMConfiguration 

    Opening a message in OWA triggers an error on CAS server that look like this: 2014-04-30T21:08:14.456Z,RacClc,Exception,,,NeedsGroupIdentityActivation [RightsManagementException],MessageId:<...>

    Any help would be greatly appreciated. I have been fighting this for a week now an I hope I won't have to decommission server.

    Thursday, May 1, 2014 12:27 PM

Answers

  • No need to thank. I will be glad to help.

    I am not sure what the dat file is but it is not one of the standard files that should be there. Could you please make a copy and then delete  the contents under C:\ProgramData\Microsoft\DRM\Server\ in the Exchange server? (Only one Exchange Server playing the roles of CAS and HT, right). Reproduce the issue and check again, please

    Note: the contents under \Server\ will be regenerated in the next request to the RMS server


    // Raúl - I love this game


    • Edited by RMoros Monday, May 5, 2014 4:36 PM
    • Marked as answer by gjozic Monday, May 5, 2014 5:25 PM
    Monday, May 5, 2014 4:36 PM

All replies

  • Hi Amig@. For me, the error message indicates that there is an error when the Exchange server requests the RAC. What Cryptographic Mode are you using in your AD RMS Cluster?

    Also, I would review the IIS logs in the RMS server to check that the request is really hitting the server and, if so, what HTTP code the server returns.

    Regards


    // Raúl - I love this game

    Monday, May 5, 2014 9:41 AM
  • Hello Raul,

    We are using Cryptographic mode 1.

    And you may be onto something, when looking on IIS logs on RMS server there is no sign of requests from OWA ever reaching that server (we have only one). There is no activity in IIS logs.

    I see requests from Outlook 2010 and plenty activity there.

    Do you have any suggestion?

    Best regards,

    Goran

    Monday, May 5, 2014 12:05 PM
  • Hi Amig@. I will assume that the SCP in AD is correctly registered. Apart from that, in my experience, the lack of activity in IIS can be due to an early misnegotiation during the SSL handshake. Please review that the CA chain issuing the SSL certificate of the RMS server is included in the trusted stores of the Exchange server. Make sure also that the CRL is accesible from that server. Certificate issues can be discovered by taking a look at the EventViewer in the Exchange server. Go to EventViewer->Applications and Services Logs->Microsoft->Windows->CAPI2->Operational and then right-click and Enable. Try to reproduce, then refresh CAPI2 and look for errors


    // Raúl - I love this game

    Monday, May 5, 2014 12:46 PM
  • Hi Raul,

    There are no certificate errors or issues on any of the clients or servers that are involved in the process.

    weird thing happens though, sometime users from OWA would actually produce entries in the IIS log on RMS servers and it would look like this:

    -------------------------------------------------------

    15:04:03 10.1.60.28 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.1.60.50 Windows+Rights+Management+Client - 401 2 5 0

    15:04:03 10.1.60.28 POST /_wmcs/certification/ServiceLocator.asmx - 443 APX\CASHT01$ 10.1.60.50 Windows+Rights+Management+Client - 200 0 64 78

    15:04:03 10.1.60.28 POST /_wmcs/certification/ServiceLocator.asmx - 443 - 10.1.60.50 Windows+Rights+Management+Client - 401 2 5 0

    15:04:03 10.1.60.28 POST /_wmcs/certification/ServiceLocator.asmx - 443 APX\CASHT01$ 10.1.60.50 Windows+Rights+Management+Client - 200 0 64 15

    APX\CASHT01 is our HubTransport server

    10.1.60.28 is RMS server

    I don't know what to make of it, it does not mention user name just server name.

    ------------------------------------------------------------------------------

    Monday, May 5, 2014 3:16 PM
  • Hi again. Yes, Exchange will use the computer account to access to the certification pipeline to get the RAC. This is why you have to give access to the servercertification.asmx to the Exchange Servers group (you did it, right? I include instructions just in case http://technet.microsoft.com/es-es/library/ee849850(v=ws.10).aspx

    The next few lines in your log should be a request to servercertification.asmx file. Unless the RAC already exists. Could you (at the Exchange Server) check C:\ProgramData\Microsoft\DRM\Server\"SID-something like-S-1-5-21-...."\ and see what's inside?

    Also. Could you run test-irmconfiguration from the Exchange management shell and see if any tests say something that can give us a clue?


    // Raúl - I love this game


    • Edited by RMoros Monday, May 5, 2014 3:42 PM
    Monday, May 5, 2014 3:39 PM
  • Thank you very much for your patience and your help!!!

    I just checked again and permissions on servercertification.asmx are still there. I gave read permissions to Exchange Server, ADRMS Service group and federatedemail.4.....

    Test-irmconfiguration reports OVERALL PASS (none of the tests has failed

    Inside of a folder S-1-5-21--...18656 are two files:

    CERT-Machine.drm

    powershell_RmsLicenseStoreInfoMap_2.dat

    Monday, May 5, 2014 4:24 PM
  • No need to thank. I will be glad to help.

    I am not sure what the dat file is but it is not one of the standard files that should be there. Could you please make a copy and then delete  the contents under C:\ProgramData\Microsoft\DRM\Server\ in the Exchange server? (Only one Exchange Server playing the roles of CAS and HT, right). Reproduce the issue and check again, please

    Note: the contents under \Server\ will be regenerated in the next request to the RMS server


    // Raúl - I love this game


    • Edited by RMoros Monday, May 5, 2014 4:36 PM
    • Marked as answer by gjozic Monday, May 5, 2014 5:25 PM
    Monday, May 5, 2014 4:36 PM
  • I deleted content of folder DRM\Server and exchange server has recreated only one folder: S-1-5-18 

    However, OWA is working fine now with only one folder. Should we have 3 folders or is problem resolved with only one?

    Monday, May 5, 2014 5:03 PM
  • Everything works as expected so I will mark this problem as resolved.

    1. Deleting content of the folder C:\Programdata\Microsoft\DRM\Server has resolved the error.

    2. executing iisreset on Cas/HT and RMS servers

    THANK YOU Raul!!!!


    • Edited by gjozic Tuesday, May 6, 2014 3:10 AM
    Monday, May 5, 2014 5:25 PM
  • Congratulations :)


    // Raúl - I love this game

    Monday, May 5, 2014 8:28 PM