Situation

Configuring Exchange 2010 IRM integration with AD RMS succeeds. Testing the configuration (with the Test-IRMConfiguration command) does not.

Test-IRMConfiguration -Sender user1@contoso.com fails acquiring rights account certificate (RAC) and client licensor certificate (CLC).

Error messages

Exchange console

Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
    - FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC).
This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipeline" at  http://go.microsoft.com/fwlink/?LinkId=186951.
----------------------------------------
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from
Protocols.SoapException: System.Web.Services.Protocols.SoapException: Exception of type 'System.Web.Services.
Protocols.SoapException' was thrown. ---> Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException: Exception of type 'Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException' was thrown.
   --- End of inner exception stack trace ---
   at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)
   at Microsoft.DigitalRightsManagement.Certification.ServerCertificationWebService.Certify(CertifyParams requestParams)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
   at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)
   at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)
   at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)
   at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()


AD RMS server certification pipeline logging


Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException    
Message: The given certificate does not contain an acceptable combination of asymmetric key and signature hash algorithms. 
StackTrace:
at Microsoft.DigitalRightsManagement.Certification.Pipeline._VerifyMachineCertificateChain(String[] machineCertificateChain, CAType caType)    
at Microsoft.DigitalRightsManagement.Certification.Pipeline.Certify(CAType caType, CertifyParams[] requestParameters, HttpRequest request, IIdentity userIdentity) 
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.PipelineCertify(CAType caType, String userName, String[] machineCertificateChain, Boolean persistent)   
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)

CAUSE

AD RMS Cryptographic Mode 2 was enabled but the Exchange server OS was not patched.


RESOLUTION

Install the appropriate patch on the server OS.

MORE INFORMATION: Cryptographic Mode 2 changes the signature support from SHA-1 to SHA-256 and the signature and encryption support from RSA 1024 to RSA 2048. AD RMS server must be 2008 R2 SP1 and clients must be Windows Vista SP2 or higher. Both server and client require an additional software update to support Cryptographic Mode 2. Exchange 2010 requires at least SP3 to support Cryptographic Mode 2.


See also