This was a very odd corner case. It started with a problem configuring IRM integration on a SharePoint 2010 server.
"The required Windows Rights Management client is present but the server could not be accessed. IRM will not work until the server is accessible."
Log Name: Application Source: Microsoft-SharePoint Products-SharePoint Foundation Event ID: 5056 Task Category: Information Rights Management (IRM) Level: Critical Keywords: User: CONTOSO\SharePoint_svc Computer: sp01.contoso.com Description: Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate. Possibly an HTTP 401 error (an authentication error) was returned by an Internet request.
Additional Data Error value: 0x1419bc40 Server URL: https://adrms/_wmcs/certification
Log Name: Application Source: Microsoft-SharePoint Products-SharePoint Foundation Event ID: 5133 Task Category: Information Rights Management (IRM) Level: Critical Keywords: User: CONTOSO\SharePoint_svc Computer: sp01.contoso.com Description: Information Rights Management (IRM): There was a problem while obtaining a Rights Management Services (RMS) group identity certificate (GIC).
A GIC is an essential credential that allows a user to read/view rights protected documents.
Additional Data Error value: 0x8004cf43
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 15 POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0 POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0 POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0 POST /_wmcs/certification/ServerCertification.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
This turned out to be client certificates in an SSL setting was configured to accept. This is an IIS setting on the RMS server. It may be configured on a site (e.g. Default Web Site), on a sub-site (e.g. \_wmcs\certification), or even a file, such as certification.asmx. In my particular case it was set on the certification site container. Setting the value back to ignore resolved the issue.
The following screenshots provide an example of the configuration options.
I’d not seen this before. The 500 return codes in the IIS logs kept pointing me towards anonymous authentication being enabled somewhere. Or that the SharePoint service account did have sufficient permissions to the various .asmx files. I finally stumbled across the possible setting as the culprit.
Update: Several folks have reached out to me. I was not extremely clear on how I flopped between content/features views in IIS. Please allow me to address this below.
The following screenshots provide a walkthrough on how I exposed the features view of certification.asmx in IIS.