locked
Set-IRMConfiguration failing with 401. Using AD RMS 2012 member server and Exchange 2010 SP2 RRS feed

  • Question

  • We have a new AD RMS 2012 member server in a Win08R2SP1 Native domain.

    We have Exchange 2010 SP2 Rollup 4v2.

    I put exchange fed mailbox in a rmssuper group and enabled this group in ad rms.

    I gave Exchanger Servers group acl access to servicelocater.asmx, server.asmx, and servercertification.asmx.

    Office 2013 clients can access and use policy templates from this AD RMS server.

    Trying to enable irm on the Exchange server and I am getting

    [PS] C:\Windows\system32>Set-IRMConfiguration -InternalLicensingEnabled $true
    The request failed with HTTP status 401: Unauthorized. ---> Failed to get Server Info from https://rms.juf.org/_wmcs/ce
    rtification/server.asmx.
        + CategoryInfo          : InvalidOperation: (:) [Set-IRMConfiguration], Exception
        + FullyQualifiedErrorId : FECD1A6C,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration

    Running the test-irm, I get this:

    Results : Checking Exchange Server ...
                  - PASS: Exchange Server is running in Enterprise.
              Loading IRM configuration ...
                  - PASS: IRM configuration loaded successfully.
              Retrieving RMS Certification Uri ...
                  - PASS: RMS Certification Uri: https://rms.juf.org/_wmcs/certification.
              Verifying RMS version for https://rms.juf.org/_wmcs/certification ...
                  - WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
              hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
               or AD RMS on Windows Server 2008 R2.
              ----------------------------------------
              Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
              //rms.juf.org/_wmcs/certification/server.asmx. ---> System.Net.WebException: The request failed with HTTP sta
              tus 401: Unauthorized.
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebRespons
              e response, Stream responseStream, Boolean asyncCall)
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
                 at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
              uests)
                 at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
              )
                 --- End of inner exception stack trace ---
                 at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
              )
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
              rviceType serviceType)
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
              ----------------------------------------

              OVERALL RESULT: PASS with warnings on disabled features

    IIS Log on RMS shows:

    2013-08-01 20:38:46 ADrmsIP# POST /_wmcs/certification/server.asmx - 443 - cashubIP# Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5466) - 401 2 5 0

    Thursday, August 1, 2013 8:49 PM

All replies

  • Hello,

    have you been following the instructions for setting up the pipeline ACLs from http://technet.microsoft.com/en-us/library/ff470284(v=ws.10).aspx ?

    Can you open the URL https://rms.juf.org/_wmcs/certification from the Exchange Server itself? Do you also get an authentication error from there?

    regards,

    Lutz

    Tuesday, August 6, 2013 2:50 PM
  • From any domain member computer (all exchange servers included), I can browse the _wmcs/certification pipeline without issue (no prompts or errors).

    I only receive an error when running the set-irm or test-irm commands.

    As I stated above "IIS Log on RMS shows:

    2013-08-01 20:38:46 ADrmsIP# POST /_wmcs/certification/server.asmx - 443 - cashubIP# Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5466) - 401 2 5 0"

    So, the IIS server on my ADRMS states my cashub request is failing with 401 for the file server.asmx. I have added the Exchanger Serves group and ADRMS security group to this file as well, but I still keep getting the same log entry.

    Thanks for your assistance.

    Tuesday, August 6, 2013 3:22 PM
  • Did you ever get this fixed? I am having the exact same issue. This was working previously, but since adding a second server to our ADRMS cluster users in OWA can't select a DRM template.

    IIS logs show CAS sever IP's, but no username. Failing with a 401


    Lindon Morris Senior Consultant OBS www.obs.com.au

    Thursday, October 9, 2014 6:35 AM
  • Hello guys. Did you fix it somehow? I have the same problem. AD RMS running on server 2008 R2 and Exchange 2013.
    Tuesday, September 1, 2015 9:42 AM
  • if you installed AD RMS  Cryptographic Mode 2 , you need to installed Exchange 20120 SP3 . only Cryptographic Mode 1 is support for your exchange version ( Exchange 20120 SP2 with RU )

    https://social.technet.microsoft.com/Forums/en-US/02a628f8-9047-4b9e-aa12-52dd2b99f9e8/rms-integration-with-exchange?forum=exchangesvrclients


    • Edited by Indunil Sunday, September 6, 2015 6:54 AM add
    Sunday, September 6, 2015 6:53 AM