MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2010: Test-IRMConfiguration Failed

After Configuring the AD RMS when you integrate ADRMS with Exchange 2010 you run the Test-IRMConfiguration Command which should pass to confirm Exchange Integration has been successful.

In my case this command was failing so let us see how I fixed it….

 

Environment:

Active Directory: Windows 2003

Schema: Windows 2008 R2

Exchange 2010 SP2

AD RMS – Windows 2012

SQL 2008 R2 SP1

 

Issue:

Test-IRMConfiguration resulting is coming Fail

 

Troubleshooting:

-We ran the command:

Set-IRMConfiguration –InternalLicensingEnabled $true

-To test the configuration we ran the command:

    Test-IRMConfiguration –Sender AdminEmailID

-We got the following Error:

=====================================================================================

#TYPE Deserialized.Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidationResult

“PSComputerName”,”RunspaceId”,”Results”,”Identity”,”IsValid”

“ExchangeMailboxServer.domain.com”,”a1aa06c7-d7cf-4351-aa21-1d128d4fc6c5″,”Checking Exchange Server …

– PASS: Exchange Server is running in Enterprise.

Loading IRM configuration …

– PASS: IRM configuration loaded successfully.

Retrieving RMS Certification Uri …

– PASS: RMS Certification Uri: https://rms.domain.com/_wmcs/certification.

Verifying RMS version for https://rms.domain.com/_wmcs/certification …

– PASS: RMS Version verified successfully.

Retrieving RMS Publishing Uri …

– PASS: RMS Publishing Uri: https://rms.domain.com/_wmcs/licensing.

Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) …

– FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted “”Read”” and “”Read & Execute”” rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see “”Set Permissions on the AD RMS Certification Pipeline”” at http://go.microsoft.com/fwlink/?LinkId=186951.

—————————————-

Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from https://rms.domain.com/_wmcs/certification/servercertification.asmx. —> System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Exception of type ‘System.Web.Services.Protocols.SoapException’ was thrown. —> Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException: Exception of type ‘Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException’ was thrown.

— End of inner exception stack trace —

at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)

at Microsoft.DigitalRightsManagement.Certification.ServerCertificationWebService.Certify(CertifyParams requestParams)

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)

at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)

at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)

— End of inner exception stack trace —

at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)

at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()

—————————————-

 

OVERALL RESULT: FAIL

=========================================================================================

 

-Point to pick up from this error is “Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException: Exception of type ‘Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException’ was thrown.”

-This means Cryptographic is not matching between ADRMS and Exchange 2010 SP2. We had installed ADRMS with Cryptographic 2 and Exchange 2010 SP2 supports Cryptographic 1.

-Exchange 2010 SP3 supports Cryptographic 2 but Exchange was in production so we decided to degrade AD RMS from Cryptographic 2 to 1.

-You can’t downgrade Cryptographic 2 to 1 from live configuration, means we uninstalled AD RMS and Re-install AD RMS with Cryptographic 1 and configure AD RMS.

– To test the configuration we again ran the command:

    Test-IRMConfiguration –Sender AdminEmailID

 

-We got the following Error this time

==========================================================================================

#TYPE Deserialized.Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidationResult

“PSComputerName”,”RunspaceId”,”Results”,”Identity”,”IsValid”

“ExchangeServer.domain.com”,”d08888ba-c0d8-40d8-98cf-8e5de369aa9b”,”Checking Exchange Server …

– PASS: Exchange Server is running in Enterprise.

Loading IRM configuration …

– PASS: IRM configuration loaded successfully.

Retrieving RMS Certification Uri …

– PASS: RMS Certification Uri: https://rms.domain.com/_wmcs/certification.

Verifying RMS version for https://rms.domain.com/_wmcs/certification …

– PASS: RMS Version verified successfully.

Retrieving RMS Publishing Uri …

– PASS: RMS Publishing Uri: https://rms.domain.com/_wmcs/licensing.

Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) …

– FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted “”Read”” and “”Read & Execute”” rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see “”Set Permissions on the AD RMS Certification Pipeline”” at http://go.microsoft.com/fwlink/?LinkId=186951.

—————————————-

Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from https://rms.domain.com/_wmcs/certification/servercertification.asmx. —> System.Net.WebException: The request failed with HTTP status 401: Unauthorized.

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)

at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)

at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)

— End of inner exception stack trace —

at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)

at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()

—————————————-

OVERALL RESULT: FAIL

===========================================================================================

 

-Now we got different error “The request failed with HTTP status 401: Unauthorized”.

-We followed the below mentioned steps to fix it.

 

1. Opened the location C:inetpubwwwroot_wmcscertification

2. Select ServerCertification.asmx

3. Right click –>properties and click the Security tab.

4. Click the Edit button –> click the Add button –> set From this location field to the local server then type AD RMS Service Group
into the object names field –> then click the Check Names button. Click or

5. Add Read & execute and Read permissions.

6. Also make sure Exchange servers domain group is already added.

7. Did the same on all AD RMS servers

 

Now we ran the following cmd:

Test-IRMConfiguration –Sender AdminEmailID

 

We got the following output.

 


 

IRM Configuration test has passed.

 

Resolution:

To fix 1st Error: The Cryptography was not matching between Exchange 2010 and AD RMS. So we reinstall AD RMS to match Cryptography.

To fix 2nd Error: We added local server group “AD RMS Service Group” with
Read & execute and Read permissions in the security of ServerCertification.asmx

 

FYI – Microsoft always recommends to install SP3 or latest Service Pack because Service packs are the safest

 

Conclusion:

Decide the Cryptography before deploying AD RMS.

 

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru

 

4 Responses to “Exchange 2010: Test-IRMConfiguration Failed”

  1. Prabhat Nigam Says:

    Some one asked me
    Is this process or we have to repeat for every new setup or once it has been finished you do not need to repeat the process again.

    so here is the answer
    This is one time process as
    Exchange configuration is org level config
    And
    ADRMS Cryptography is one time selection.

  2. Blog Posts of the Week (13th - 26th October 2013) - The South Asia MVP Blog - Site Home - TechNet Blogs Says:

    […] Exchange 2010: Test-IRMConfiguration Failed […]

  3. Mariel Bunbury Says:

    I’m impressed, I have to admit. Rarely do I encounter a blog that’s equally
    educative and entertaining, and without a doubt, you have hit the nail
    on the head. The problem is something which not enough
    folks are speaking intelligently about. I’m very happy
    that I stumbled across this during my hunt for something relating to
    this.

  4. Gustavo PEreira Says:

    It worked to me.
    Tks a lot.

Leave a Reply

migrate exchange to office 365

Categories

Archives