none
AD RMS and Exchange 2016 Integration RRS feed

  • Question

  • I followed this link: http://windowstechpro.com/part-3-how-to-enable-irm-ad-rms-in-exchange-2013/ to integrate AD RMS 2012 R2 with Exchange 2016 and when I run Get-RMSTemplate |format-list , I can see the templates available to use. Also from Exchange OWA I can see the templates. But when I Test-IRMCongiuration -sender user@domainname.com to test the IRM Configuration and AD RMS health status of the URLs and availability of the services, it fails at last step and below error is thrown:

    Acquiring Use License from RMS Licensing Uri (https://rms.Domain.com/_wmcs/licensing) ...
                  - FAIL: Failed to acquire a use license. This failure may cause features such as Transport Decryption, Journal Report Decryption, IRM in OWA, IRM in EAS and IRM Search to not work. Please make sure that the account "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" representing the Exchange Servers Group is granted super user privileges on the Active Directory Rights Management Services server. For detailed instructions, see "Add the Federated Delivery Mailbox to the AD RMS Super Users Group" at http://go.microsoft.com/fwlink/?LinkId=193400.

    I confirmed the federated delivery mailbox is part of the super group, what I am missing here?

    Tuesday, November 15, 2016 6:10 PM

Answers

  • Issue is resolved by resetting permissions on problematic users in AD. 
    • Marked as answer by AhmadJY Wednesday, February 1, 2017 1:52 PM
    Wednesday, February 1, 2017 1:52 PM

All replies

  • note that AD RMS is installed in Cryptographic mode 1
    Tuesday, November 15, 2016 6:13 PM
  • And when I try to open a protected message in OWA, I get below error:

    the message you tried to open is protected with information rights management. Pre-licensing failed. try opening the message again

    Your help is appreciated

    Wednesday, November 16, 2016 12:41 PM
  • One thing that can bite you (and happens often) is that the group cache on ADRMS doesn't refresh very fast, so if you added the account to super user it might not work right away. There are ways to change the cache, but if its still failing today that isn't the problem.

    I would start with the IRM logs on the exchange side:

    1.        C:\Program Files\Microsoft\Exchange Server\Vx\TransportRoles\Logs\OfflineRMS

    2.        C:\Program Files\Microsoft\Exchange Server\Vx\TransportRoles\Logs\IRMLogs

    3.        D:\TransportRoles\Logs\OfflineRMS

    4.        D:\TransportRoles\Logs\IRMLogs

    Wednesday, November 16, 2016 7:26 PM
  • One thing that can bite you (and happens often) is that the group cache on ADRMS doesn't refresh very fast, so if you added the account to super user it might not work right away. There are ways to change the cache, but if its still failing today that isn't the problem.

    I would start with the IRM logs on the exchange side:

    1.        C:\Program Files\Microsoft\Exchange Server\Vx\TransportRoles\Logs\OfflineRMS

    2.        C:\Program Files\Microsoft\Exchange Server\Vx\TransportRoles\Logs\IRMLogs

    3.        D:\TransportRoles\Logs\OfflineRMS

    4.        D:\TransportRoles\Logs\IRMLogs

    Thanks for that. I added federated delivery mailbox to super group two days ago...I will check mentioned logs tomorrow and get back here with result.
    Wednesday, November 16, 2016 9:20 PM
  • in the log file under IRMLogs folder, I see below line:

    UseLicense,Exception,,,Microsoft.DigitalRightsManagement.Licensing.NoRightsForRequestedPrincipalException: Exception of type 'Microsoft.DigitalRightsManagement.Licensing.NoRightsForRequestedPrincipalException' was thrown. [RightsManagementException],,6f692756-4c99-4727-903b-a2f845a02241

    Thursday, November 17, 2016 6:14 AM
  • and when I check event logs on AD RMS, I see below error:

    Active Directory Rights Management Services (AD RMS) failed to create a license because information about the licensee in Active Directory Domain Services (AD DS) is invalid

    Parameter Reference
    Context: LicensePipeline
    RequestId: xxxxxxx
    Microsoft.DigitalRightsManagement.Licensing.AcquirePreLicenseInvalidLicenseeException

            Message: The licensee specified in AcquirePreLicense is not valid:

            FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@domain.com

    Thursday, November 17, 2016 6:29 AM
  • I badly need your help experts
    Saturday, November 19, 2016 7:46 AM
  • I reinstalled AD RMS with cryptographic mode 2, same issue...

    Also assigned AD RMS Service Group on RMS servers as well as Exchange Servers group read & execute permissions on C:\Inetpub\wwwroot\_wmcs\licensing\publish.asmx but same issue...

    Your help is appreciated..

    Wednesday, November 23, 2016 7:50 AM
  • Issue is resolved by resetting permissions on problematic users in AD. 
    • Marked as answer by AhmadJY Wednesday, February 1, 2017 1:52 PM
    Wednesday, February 1, 2017 1:52 PM