Translate this site using Windows Live Translator:
SharePoint 2010 and IRM Integration - RMS: Protecting Your Assets. - Site Home - TechNet Blogs

RMS: Protecting Your Assets.

The Protecting 'My' Asset Disclaimer: This is my 'un-official', 'in my spare time', 'use at your own risk', all things RMS (Rights Management Services), IRM (Information Rights Management), IPP (Information Protection Pla

SharePoint 2010 and IRM Integration

SharePoint 2010 and IRM Integration

  • Comments 1
  • Likes

This was a very odd corner case. It started with a problem configuring IRM integration on a SharePoint 2010 server.

In the SharePoint 2010 Central Administration portal while specifying the Information Rights Management settings the following error occurs.

"The required Windows Rights Management client is present but the server could not be accessed. IRM will not work until the server is accessible."

Two application events appear on the SharePoint server.

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 5056
Task Category: Information Rights Management (IRM)
Level: Critical
Keywords:
User: CONTOSO\SharePoint_svc
Computer: sp01.contoso.com
Description:
Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.
Possibly an HTTP 401 error (an authentication error) was returned by an Internet request.

Additional Data
Error value: 0x1419bc40
Server URL:
https://adrms/_wmcs/certification

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 5133
Task Category: Information Rights Management (IRM)
Level: Critical
Keywords:
User: CONTOSO\SharePoint_svc
Computer: sp01.contoso.com
Description:
Information Rights Management (IRM): There was a problem while obtaining a Rights Management Services (RMS) group identity certificate (GIC).

A GIC is an essential credential that allows a user to read/view rights protected documents.

Additional Data
Error value: 0x8004cf43

The following items were logged in the IIS logs on the RMS server.

POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 15
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
POST /_wmcs/certification/ServerCertification.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0

A network trace shows the following pattern.

ADRMS_Client_Cert3

The Cause

This turned out to be client certificates in an SSL setting was configured to accept. This is an IIS setting on the RMS server. It may be configured on a site (e.g. Default Web Site), on a sub-site (e.g. \_wmcs\certification), or even a file, such as certification.asmx. In my particular case it was set on the certification site container. Setting the value back to ignore resolved the issue.

The following screenshots provide an example of the configuration options.

ADRMS_Client_Cert2

ADRMS_Client_Cert1

I’d not seen this before. The 500 return codes in the IIS logs kept pointing me towards anonymous authentication being enabled somewhere. Or that the SharePoint service account did have sufficient permissions to the various .asmx files. I finally stumbled across the possible setting as the culprit.

Update: Several folks have reached out to me. I was not extremely clear on how I flopped between content/features views in IIS. Please allow me to address this below.

The following screenshots provide a walkthrough on how I exposed the features view of certification.asmx in IIS.

IIS_Views (1)

IIS_Views (2)

IIS_Views (3)

IIS_Views (4)

IIS_Views (5)

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment