none
AD RMS clients not being authorized to secure documents by RMS server RRS feed

  • Question

  • Installed RMS role in production exactly as installed in (working) test environment, yet not working in production. Symptoms are: Client is directed to RMS cluster, then recieves message that the service is not available. At that moment an entry is created in the event log of the server with the RMS role, stating that authentication failed while communicating the the SQL server. Setup is: RMS role created on "server1.domain.com" Database on "sqlServer.domain.com" DNS entries set up for each, "RMS.domain.com > server1.domain.com, and RMS-SQL.domain.com > sqlServer.domain.com. SCP is registered in AD as RMS.domain.com, and clients are being directed to the RMS server. In the errors below, I've replaced the actual server and domain names as noted above. I will appreciate any help, being really pushed for an implemtation date.

    Process information:
        Process ID: 4728
        Process name: w3wp.exe
        Account name: domain\ADRMSSRVC < this is the service account, which has rights to the SQL databases >
    Exception information:
        Exception type: SqlException
        Exception message: Cannot open database "DRMS_Config_rms_domain_com_443" requested by the login. The login failed.
    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    This Active Directory Rights Management Services (AD RMS) cluster cannot perform an operation on one of the AD RMS databases. Ensure that all AD RMS databases are operating correctly on the network and that the AD RMS service account has read and write permissions to the databases.
    Parameter Reference
    Context: STATIC
    RequestId: N/A
    HelpLink.ProdName: Microsoft SQL Server
    HelpLink.EvtSrc: MSSQLServer
    HelpLink.EvtID: 4060
    HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
    HelpLink.LinkId: 20476
    SqlError-1.Server: <SQLserver.domain.com>

    SqlError-0.Class: 11
    SqlError-0.Number: 4060
    SqlError-1.State: 1
    SqlError-1.Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
    SqlError-0.Message: Cannot open database "DRMS_Config_rms_domain_com_443" requested by the login. The login failed.
    SqlError-1.Number: 18456
    SqlError-0.State: 1
    SqlError-1.Class: 14
    SqlError-0.Server: fl2000-sqlServer.domain.com


    • Edited by JackInIT Wednesday, November 2, 2011 9:45 PM
    Wednesday, November 2, 2011 9:44 PM

Answers

  • The Rights Management Servies is running under the service account (ADRMSSRVC).

    • Marked as answer by JackInIT Wednesday, November 23, 2011 2:24 PM
    Friday, November 4, 2011 2:28 PM
  • The solution was in IIS Authentication: turned off ASP.NET authentication, now working properly.
    • Marked as answer by JackInIT Wednesday, November 23, 2011 2:27 PM
    Wednesday, November 23, 2011 2:27 PM

All replies

  • Hi Jack,

    Seems more like a sql permission issues for the AD RMS service account. have you assigned correct permissions to domain\ADRMSSRVC on the SQL server?

    If Microsoft SQL Server 2005 or Microsoft SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent.


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

    Thursday, November 3, 2011 1:04 PM
  • Thanks for replying. It's Microsoft SQL Server 2008, and the ADRMS service account is a member of the system Administrators. What confuses me in the error log is the "reminder" to make sure the AD RMS service account has the proper permissions, followed by login failure for 'NT AUTHORITY\ANONYMOUS LOGON'. One more fact, when browsing to 'https://rms.domainname.com/_wcms/certification', sometime prompted for credentials, but does not accept any username and password, any account will fail to authenticate.

    Thursday, November 3, 2011 1:29 PM
  • Is the RMS service running under the specified user account? What is the application pool identity for (in IIS)?

     

    Martin

    Friday, November 4, 2011 8:28 AM
  • The Rights Management Servies is running under the service account (ADRMSSRVC).

    • Marked as answer by JackInIT Wednesday, November 23, 2011 2:24 PM
    Friday, November 4, 2011 2:28 PM
  • The solution was in IIS Authentication: turned off ASP.NET authentication, now working properly.
    • Marked as answer by JackInIT Wednesday, November 23, 2011 2:27 PM
    Wednesday, November 23, 2011 2:27 PM