none
Azure RMS with Exchange 2016 RRS feed

  • Question

  • I am trying to configure Azure RMS with on-Prem AD users in my lab and I seem to have hit a brick wall.

    Setup:

    Exchange 2016 CU3 single server
    Single Domain forest DFL FFL 2008R2
    File Server (also running AADconnect)
    DC
    AppServer (for AD RMS connector)

    OS on all servers 2012R2

    So the steps I followed are:

    Create Tenant (Authorise Domain)
    Enable RMS in Tennant
    Run AAD Connect sync all users to Azure
    Licence users for Azure Information Protection P1 licence

    Download and install AD RMS connector (azure account used global admin)
    On the Exchange server:
    .\GenConnectorConfig.ps1 -ConnectorUri http://AppServer.contoso.com -SetExchange2013
    Set-IRMConfiguration -InternalLicensingEnabled $true

    In OWA, I can see the two default templates as well as a test one I created. However, If i attempt to Apply one of three templates to the email via the set-permissions tab, the email does not send successfully. 

    Troubleshooting so far 
    On the Exchange server:
    Test-IRMConfiguration -Sender sender1@contoso.com -Recipient sender2@contoso.com 
    Overall pass

    RMS Analyser:

    Azure RMS user :Pass
    Azure RMS Admin :Pass

    Azure RMS connector = The specified address denied the request for service information because your account is not authorised by the connector.

    All the diagnostics fail with the following


    System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
       at Microsoft.AadrmConnector.WebService.BaseWebService..ctor()
       at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
       --- End of inner exception stack trace ---


    All the exchange tests pass besides "My computer is working for IRM"

    Verifying RMS version for http://appserver.contoso.com/_wmcs/certification ...
        - FAIL: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247) or AD RMS on Windows Server 2008 R2.

    ------------------------
    Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from http://appserver.contoso.com/_wmcs/certification/server.asmx. ---> System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> Attempted to perform an unauthorized operation.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] requests)
       at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath)
       at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, ServiceType serviceType)
       at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
    ----------------------------------------


    However the server is running Windows server 2012R2

    I am getting Event ID 3000 on the RMS connector server with the following text

    An unhandled exception occurred in the Microsoft RMS connector.

    Message:
    Exception of type 'System.Web.Services.Protocols.SoapException' was thrown. ---> Microsoft.DigitalRightsManagement.Core.VerifyMachineCertificateChainFailedException:  ---> Exception of type 'Microsoft.DigitalRightsManagement.Core.VerifyMachineCertificateChainFailedException' was thrown.

    Stack Trace:
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.AadrmConnector.WebService.AadrmClient.ServerCertificationWebService.Certify(CertifyParams requestParams)
       at Microsoft.AadrmConnector.WebService.ServerCertificationWebService.Certify(CertifyParams requestParams)


    I'm out of ideas so any reccomendations or tips would be most welcome.
    Tuesday, December 6, 2016 12:34 AM

All replies

  • This sounds like registry entries might not be set or not set correctly on your Exchange server.

    Have you checked the registry settings against the documentation? https://docs.microsoft.com/en-us/information-protection/deploy-use/rms-connector-registry-settings#exchange-2016-or-exchange-2013-registry-settings

    Apparently a very old version of the GenConnectorConfig.ps1 script would create the error about being unable to verify the RMS version but this was fixed in 2014, so unlikely to be that. However, missing entries or incorrectly set registry keys could easily produce the same error.

    If manually checking the registry entries draws a blank, I recommend opening a support case for this.

    Wednesday, December 14, 2016 1:58 AM
  • I had pretty much the same issue until I've run "iisreset" on Exchange CAS.

    I've checked HTTPS configuration at RMS connector and everything seemed fine, rebooting IIS seems to resolve this issue. After IISreset event ID 3000 didn't return on RMS servers.

    Regards,

    Marko

    Wednesday, December 14, 2016 12:27 PM
  • I had experienced same issue (Event ID 3000 in RMS Connector logs) with Exchange 2016.

    Steps to follow- 

    1- Check and Confirm  - Azure RMS registry entries are in place (https://docs.microsoft.com/en-us/azure/information-protection/rms-connector-registry-settings#exchange-2016-or-exchange-2013-registry-settings)

    2 - RMS COnnector Servers -  IIS Reset

    3 - Exchange Server  - IIS Reset

    Hope this helps. 


    Regards

    Sulfikar


    • Edited by Sulfikar_ Thursday, September 13, 2018 8:43 AM
    Thursday, September 13, 2018 8:42 AM