none
Exchange 2016 OWA integration with AD RMS 2012 R2 issue

    Question

  • Hi,

    We are having problem with Exchange 2016 OWA integration with AD RMS 2012 R2, when a user receives Right Protected email he is unable to see that email and he get  "the message you tried to open is protected with information rights management. Pre-licensing failed. try opening the message again".

    I checked AD RMS server, i get these below error:

    "Active Directory Rights Management Services (AD RMS) failed to create a license because information about the licensee in Active Directory Domain Services (AD DS) is invalid." 
    Log Name: Application
    Source: Active Directory Rights Management Services
    Event ID: 225
    Task Category: Licensing
    Level: Error
    Parameter Reference
    Context: LicensePipeline
    RequestId: {a5c39b5f-159d-4bf1-b1ab-5f3c990a2d76}.5966:95
    Microsoft.DigitalRightsManagement.Licensing.AcquirePreLicenseInvalidLicenseeException

            Message: The licensee specified in AcquirePreLicense is not valid: user@domain.com.

    When I try to run test-IRMConfiguration -sender user@domain.com , output is below:

    • Results : Checking Exchange Server ...
                    - PASS: Exchange Server is running in Enterprise.
                Loading IRM configuration ...
                    - PASS: IRM configuration loaded successfully.
                Retrieving RMS Certification Uri ...
                    - PASS: RMS Certification Uri: https://rms url/_wmcs/certification.
                Verifying RMS version for https://rms url/_wmcs/certification ...
                    - PASS: RMS Version verified successfully.
                Retrieving RMS Publishing Uri ...
                    - PASS: RMS Publishing Uri: https://rms url/_wmcs/licensing.
                Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
                    - PASS: RAC and CLC acquired.
                Acquiring RMS Templates ...
                    - PASS: RMS Templates acquired.
                Retrieving RMS Licensing Uri ...
                    - PASS: RMS Licensing Uri: https://rms url/_wmcs/licensing.
                Verifying RMS version for https://rms url/_wmcs/licensing ...
                    - PASS: RMS Version verified successfully.
                Creating Publishing License ...
                    - PASS: Publishing License created.
                Acquiring Prelicense for 'user@domain.com' from RMS Licensing Uri (https://rms url/_wmcs/licensing) ...
                    - FAIL: Failed to acquire Prelicense [Failure Code = InvalidLicensee]!

              Acquiring Use License from RMS Licensing Uri (https://rms url/_wmcs/licensing) ...
                  - FAIL: Failed to acquire a use license. This failure may cause features such as Transport Decryption,

    Journal Report Decryption, IRM in OWA, IRM in EAS and IRM Search to not work.

    Please make sure that the account "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" representing the

    Exchange Servers Group is granted super user privileges on the Active Directory Rights Management Services

    server. For detailed instructions, see "Add the Federated Delivery Mailbox to the AD RMS Super Users Group"

    at http://go.microsoft.com/fwlink/?LinkId=193400.

    OVERALL RESULT: FAIL

    I followed steps in this link: https://social.technet.microsoft.com/wiki/contents/articles/30984.steps-to-configure-irms-in-exchange-2013.aspx except step 5.

    Can Any body suggest the solution ?
    Tuesday, November 22, 2016 10:07 AM

Answers

  • Issue is resolved by resetting permissions on problematic users in AD. 
    • Marked as answer by AhmadJY Wednesday, February 01, 2017 1:21 PM
    Wednesday, February 01, 2017 1:21 PM

All replies

  • I reinstalled AD RMS with cryptographic mode 2, same issue...

    Also assigned AD RMS Service Group on RMS servers as well as Exchange Servers group read & execute permissions on C:\Inetpub\wwwroot\_wmcs\licensing\publish.asmx but same issue...

    Your help is appreciated..

    Wednesday, November 23, 2016 7:50 AM
  • any help will be much appreciated
    Thursday, November 24, 2016 4:03 PM
  • Temporarily give Domain Admin rights to the ADRMS Service Account and check if the prelicensing check passes, as this would rule out any permission related issues.

    Additionally also check if the sender you specified for Test-IRMConfig -sender xxxxx@xxx.com does not have multiple accounts in AD with the same email address.

    Friday, December 02, 2016 12:21 PM
  • Temporarily give Domain Admin rights to the ADRMS Service Account and check if the prelicensing check passes, as this would rule out any permission related issues.

    Additionally also check if the sender you specified for Test-IRMConfig -sender xxxxx@xxx.com does not have multiple accounts in AD with the same email address.

    Hi,

    How to achieve first one? What about assigning the AD RMS service account "read" permissions to the entire domain, will this help?

    For second one, I confirmed the user I am using in the test-IRMConfiguration command does not have multiple accounts in AD with the same email address.

    Friday, December 02, 2016 1:33 PM
  • Domain admin has already full permissions on the AD RMS service account.

    Also assigned AD RMS service account read permissions to whole domain but still same issue

    Thursday, December 08, 2016 7:12 AM
  • Hi,

    Hi 

    Hi, please try the following

    1. Turn off IRM 
    "Set-IRMConfiguration -InternalLicensingEnabled $false"
    2. Backup and delete the directories in "C:\ProgramData\Microsoft\DRM\Server. 

    Note: The Server folder is a hidden system folder and you will need to uncheck the "Hide protected operating system files" to view the folder.

    3. Reboot.
    4. Enable IRM.  
    "Set-IRMConfiguration -InternalLicensingEnabled $true"
    5. Test IRM.
    "Test-IRMConfiguration -sender [user@domain.com]"


    If above doesn't help please download and try RMS Analyzer https://www.microsoft.com/en-us/download/details.aspx?id=46437 as it may give you additional clues

    Let me know the outcomes.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Sunday, December 11, 2016 10:22 PM
  • Hi,

    Hi 

    Hi, please try the following

    1. Turn off IRM 
    "Set-IRMConfiguration -InternalLicensingEnabled $false"
    2. Backup and delete the directories in "C:\ProgramData\Microsoft\DRM\Server. 

    Note: The Server folder is a hidden system folder and you will need to uncheck the "Hide protected operating system files" to view the folder.

    3. Reboot.
    4. Enable IRM.  
    "Set-IRMConfiguration -InternalLicensingEnabled $true"
    5. Test IRM.
    "Test-IRMConfiguration -sender [user@domain.com]"


    If above doesn't help please download and try RMS Analyzer https://www.microsoft.com/en-us/download/details.aspx?id=46437 as it may give you additional clues

    Let me know the outcomes.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.


    Hi and thanks. I did try the above before with no luck. I will try RMS analyzer and see. Note that we have six Exchange 2016 servers.
    Monday, December 12, 2016 2:02 AM
  • Issue is resolved by resetting permissions on problematic users in AD. 
    • Marked as answer by AhmadJY Wednesday, February 01, 2017 1:21 PM
    Wednesday, February 01, 2017 1:21 PM
  • Hi

    I'm actually having the same issues as you. How did you "reset permissions in AD"?

    Any chance you can share the steps?

    Thursday, March 08, 2018 5:14 PM