none
Issue with RMS and 401 error RRS feed

  • Question

  • I have just setup the RMS role on a windows 2008 R2 server with a SQL 2008 back end.  The role installation completed successfully and I have setup the Super users group and moved the federatedaccess mailbox into this group.  I have also given the exchange servers read/execute permissions to the ServerCertification.asmx file.

    However when I run the Test-IRMConfiguration it fails on "Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC)"

    The whole result is here: 

    Results : Checking Exchange Server ...

                  - PASS: Exchange Server is running in Enterprise.
              Loading IRM configuration ...
                  - PASS: IRM configuration loaded successfully.
              Retrieving RMS Certification Uri ...
                  - PASS: RMS Certification Uri: https://rms.kcollege.ac.uk/_wmcs/certification.
              Verifying RMS version for https://xxx.xxx.ac.uk/_wmcs/certification ...
                  - PASS: RMS Version verified successfully.
              Retrieving RMS Publishing Uri ...
                  - PASS: RMS Publishing Uri: https://xxx.xxx.ac.uk/_wmcs/licensing.
              Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
                  - WARNING: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate
              (CLC). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal
              Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure
              that the Exchange Servers Group is granted "Read" and "Read & Execute" rights on the
              ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see "Set Permissions
              on the AD RMS Certification Pipeline" at  http://go.microsoft.com/fwlink/?LinkId=186951.
              ----------------------------------------
              Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC
              from https://xxx.xxx.ac.uk/_wmcs/certification/servercertification.asmx. ---> System.Net.WebException:
              The request failed with HTTP status 401: Unauthorized.
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message,
              WebResponse response, Stream responseStream, Boolean asyncCall)
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
                 at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)
                 at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(
              IAsyncResult asyncResult)
                 at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult
              asyncResult)
                 --- End of inner exception stack trace ---
                 at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndC
              LC(IAsyncResult asyncResult)
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
              ----------------------------------------

              OVERALL RESULT: PASS with warnings on disabled features

    Any ideas on how I can resolve this problem?



    • Edited by Robin Cook Thursday, September 13, 2012 5:34 PM
    Thursday, September 13, 2012 9:08 AM

Answers

  • I meant access logs, look for the 401 Unauthorized in inetpub\logs.

    Martin

    • Marked as answer by Robin Cook Thursday, September 27, 2012 1:53 PM
    • Unmarked as answer by Robin Cook Thursday, September 27, 2012 1:53 PM
    • Marked as answer by Robin Cook Thursday, September 27, 2012 1:58 PM
    Thursday, September 27, 2012 10:56 AM
  • This is the set of logs from a "Test-IRMConfiguration" command run on the exchange server:

    #Software: Microsoft Internet Information Services 7.5
    #Version: 1.0
    #Date: 2012-09-27 13:39:15
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 - xx.xx.100.40 Windows+Rights+Management+Client 401 2 5 0
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Windows+Rights+Management+Client 200 0 64 46
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 - xx.xx.100.40 Windows+Rights+Management+Client 401 2 5 0
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Windows+Rights+Management+Client 200 0 64 15
    2012-09-27 13:39:25 172.18.100.107 POST /_wmcs/certification/server.asmx - 443 - xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 2 5 0
    2012-09-27 13:39:25 172.18.100.107 POST /_wmcs/certification/server.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 200 0 0 640
    2012-09-27 13:39:27 172.18.100.107 POST /_wmcs/certification/servercertification.asmx - 443 - xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 2 5 0
    2012-09-27 13:39:27 172.18.100.107 POST /_wmcs/certification/servercertification.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 5 0 15

    I noticed the 401s on server.asmx and servicelocator.asmx which I was not aware exchange would be accessing.  Granting the "exchange servers" group permission to these files has resolved the issue and the "Test-IRMConfiguration" command passes.

    What is odd is how the servercertification.asmx also shows a 401 above but already had the correct permissions and no longer shows a 401 now that the exchange servers have read/execute rights on the other folders.

    Thanks for the assistance.

    • Marked as answer by Robin Cook Thursday, September 27, 2012 1:58 PM
    Thursday, September 27, 2012 1:58 PM

All replies

  • Sunday, September 16, 2012 7:54 PM
  • Have you checked the IIS server logs for ADRMS server?

    Martin

    Tuesday, September 18, 2012 6:23 AM
  • Have you configured "AD RMS Cryptographic Mode 2"?

    http://technet.microsoft.com/de-de/library/hh867439(WS.10).aspx

    AD RMS Cryptographic Mode 2 and Exchange 2010 Information Rights Management - http://blogs.technet.com/b/exchange/archive/2012/04/09/ad-rms-cryptographic-mode-2-and-exchange-2010-information-rights-management.aspx

    I have not configured Cryptographic Mode 2, just a standard vanilla single server implementation with a separate SQL server at this stage.
    Tuesday, September 25, 2012 2:43 PM
  • I cannot see anything relevant in the IIS server logs, just to be clear are you talking about the access logs stored in inetpub\logs or in Server Manager>Diagnostics?

    The only warning/error I have listed is under RMS:

    Log Name:      Application
    Source:        Active Directory Rights Management Services
    Event ID:      192
    Task Category: General
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      xx.xx.ac.uk
    Description:
    The cluster URL specified in the Active Directory Rights Management Services (AD RMS) installation did not respond to an HTTP request. Make sure that the AD RMS cluster is available on the network.

    This event only appears once from the approximate time RMS was configured. Since then the server has been restarted a number of times and this even has not been recorded again.

    Thursday, September 27, 2012 10:51 AM
  • I meant access logs, look for the 401 Unauthorized in inetpub\logs.

    Martin

    • Marked as answer by Robin Cook Thursday, September 27, 2012 1:53 PM
    • Unmarked as answer by Robin Cook Thursday, September 27, 2012 1:53 PM
    • Marked as answer by Robin Cook Thursday, September 27, 2012 1:58 PM
    Thursday, September 27, 2012 10:56 AM
  • This is the set of logs from a "Test-IRMConfiguration" command run on the exchange server:

    #Software: Microsoft Internet Information Services 7.5
    #Version: 1.0
    #Date: 2012-09-27 13:39:15
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 - xx.xx.100.40 Windows+Rights+Management+Client 401 2 5 0
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Windows+Rights+Management+Client 200 0 64 46
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 - xx.xx.100.40 Windows+Rights+Management+Client 401 2 5 0
    2012-09-27 13:39:15 172.18.100.107 POST /_wmcs/certification/ServiceLocator.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Windows+Rights+Management+Client 200 0 64 15
    2012-09-27 13:39:25 172.18.100.107 POST /_wmcs/certification/server.asmx - 443 - xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 2 5 0
    2012-09-27 13:39:25 172.18.100.107 POST /_wmcs/certification/server.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 200 0 0 640
    2012-09-27 13:39:27 172.18.100.107 POST /_wmcs/certification/servercertification.asmx - 443 - xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 2 5 0
    2012-09-27 13:39:27 172.18.100.107 POST /_wmcs/certification/servercertification.asmx - 443 DOMAIN\SERVER$ xx.xx.100.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 5 0 15

    I noticed the 401s on server.asmx and servicelocator.asmx which I was not aware exchange would be accessing.  Granting the "exchange servers" group permission to these files has resolved the issue and the "Test-IRMConfiguration" command passes.

    What is odd is how the servercertification.asmx also shows a 401 above but already had the correct permissions and no longer shows a 401 now that the exchange servers have read/execute rights on the other folders.

    Thanks for the assistance.

    • Marked as answer by Robin Cook Thursday, September 27, 2012 1:58 PM
    Thursday, September 27, 2012 1:58 PM