locked
Help with multi-forest AD RMS RRS feed

  • Question

  • Hi

    We have an existing AD RMS implementation that works with a SharePoint 2010 environment. Initially, it was single Forest + Single Domain and after setup, it all works OK. [Domain1]

    We have recently created a new AD Forest with a new domain. [Domain2] Trust has been established between the new Forest and the old Forest and in SharePoint, the users in the new Forest/Domain can get in to SharePoint OK. However, documents that are protected by AD RMS are now not working for users in the new Forest/Domain. (It continues to work OK for users in the old Forest/Domain.)

    We see either:

    "The content could not be accessed using your current credentials. Would you like to use your Microsoft account to access this content."

    or

    "Server Error in /Certification Application. Cannot generate SSPI context."

    What are the correct steps to resolve this? I have been looking through this: https://technet.microsoft.com/en-us/library/cc753483.aspx but I'm unclear if this is required. In our scenario there is ONLY RM-content in Domain1 - I don't need users in Domain1 to be able to access RM-content in Domain2 (so i'm thinking / hoping that we don't need to provision a new AD RMS node/cluster in Domain2?)

    The certificate in use *.domain1.com. Do we need to create a new certificate - *.domain2.com ?

    Thanks for any help. I'm afraid I didn't provision this environment so feel free to request more info!

    Tuesday, February 9, 2016 4:36 PM

Answers

  • Hi,

    please check the requirements for RMS in a cross forest environment at https://technet.microsoft.com/en-us/library/dd772648%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396.

    Check especially that you have the correct type of trust in place and GAL sync.

    Hope that helps,

    Lutz 

    • Marked as answer by weirdbeardmt Monday, March 7, 2016 9:14 AM
    Monday, March 7, 2016 3:46 AM

All replies

  • Hi,

    please check the requirements for RMS in a cross forest environment at https://technet.microsoft.com/en-us/library/dd772648%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396.

    Check especially that you have the correct type of trust in place and GAL sync.

    Hope that helps,

    Lutz 

    • Marked as answer by weirdbeardmt Monday, March 7, 2016 9:14 AM
    Monday, March 7, 2016 3:46 AM
  • HI, thanks. Yeah had pretty much arrived at the conclusion that there's no way of doing this without either a) federated trust between the two domains or b) a new AD RMS cluster in the new domain/forest.
    Monday, March 7, 2016 9:14 AM