Although Active Directory Rights Management Server (ADRMS) will function if an expired Trusted User Domain (TUD) is loaded, the Mobile Device Extensions may fail.

This can happen even if they TUD is not being used for that particular request.

 

The most common reason you might have an expired TUD is if you enabled the feature to support Live-ID, but this may happen if you have another expired TUD. You can see you have this TUD in the ADRMS Management console under Trust Policies\Trusted User Domains:



The symptoms you might see is any Mac or mobile device failing with a warning that you don’t have rights to the document.

"You do not have permission to user Rights Management Services on this server"
-or-
"You cannot set permissions or open a file with restricted permission because an error occurred"

In the event logs of the ADRMS server you would see:

Log Name:      Application
Source:        Adrms.MobelDeviceExtension
Event ID:      1000
Description:
UntrustedUserDomainCertificate

The TUD certificate failed validation.

You must remove this TUD as it is no longer supported.

Live-ID support ended at the end of November 2015
Original Announcement:
http://blogs.technet.com/b/rms/archive/2015/08/21/legacy-rms-for-microsoft-account-service-end-of-life.aspx