El Blanco's Office 2007 Blog

Thursday, July 13, 2006

MOSS and RMS Woes

As a nice change from Workflow I thought I'd post about the recent experiences I've had trying to integrate MOSS with Windows Rights Management Server. I'm a big fan of RMS - protecting documents and emails provides fantastic security for organisations, so when I read about integrating RMS technology with MOSS I was quite excited. However the excitement didn't last long when I tried to get it working :)

Within my organisation we already have RMS up and running, so following the documentation from the ECM starter kit I figured it would be pretty straightforward to get a MOSS installation to work alongside - this wasn't the case !

Installing Windows RMS client SP2 onto the MOSS server was straightforward and got around the error seen in Central Administration when the client is not present. I then typed the URL to the RMS server in Central Administration and clicked OK and saw the error detailed in the setup guide - "The required windows rights management client is present but the server refused access. IRM will not work until the server grants permission". As detailed in the install guide, to get around this problem I modified the access control list on the following file on the RMS server:

c:\Inetpub\wwwroot\_wmcs\Certification\ServerCertification.asmx

but this didn't get around the issue, even when I added "<Domain Name>\Domain Computers" to the ACL (I even tried adding "Everyone" with full control, but no luck !!). I've tried following the setup guide again and again on various environments:
  • A VPC
  • Our corporate RMS and MOSS installations.
  • A fresh, standalone installation in a fresh domain with just 2 servers in the environment (1 DC and RMS, 1 MOSS server)
  • VMWare server environments similar to the above

but I've not succeeded with any of these as yet, altough I have seen the following errors in the application event log:

--------------------------------------
Event Type: ErrorEvent
Source: Windows SharePoint Services 3
Event Category: IRM
Event ID: 5132
Date: 6/30/2006
Time: 4:21:42 PM
User: N/A
Computer: RMSDC02
Description:
Information Rights Management (IRM): There was a problem while trying to obtain and activate a machine certificate.

In order to execute RMS transactions on a machine, that machine will need a unique certificate. This certificate is stored locally in the RMS lockbox.

Additional Data
Error value: 8004cf40

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------------------

--------------------------------------
Event Type: ErrorEvent
Source: Windows SharePoint Services 3
Event Category: IRM
Event ID: 5053
Date: 6/30/2006
Time: 4:21:41 PM
User: N/A
Computer: RMSDC02
Description:
Information Rights Management (IRM): There was a problem while trying to acquire a machine certificate from the local Rights Management Services (RMS) lockbox.The specific problem could not be determined.

In order to execute RMS transactions on a machine, that machine will need a unique certificate. This certificate is stored locally in the RMS lockbox.

Additional DataError value: 8004cf40
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--------------------------------------

I'll keep banging my head against the wall and post again if I get anywhere with it (I'd be interested to hear from anyone who has managed to get this working as I'm having my doubts about it :) !!).

15 Comments:

  • Just a quick not to let you n\know that I got this working by adding the Authenticated Users group to the permissions list for C:\Inetpub\wwwroot\WRM\_wmcs\Certification\ServerCertification.asmx

    Scot

    By Anonymous Scot Hillier, at 3:21 pm  

  • Thank you, thank you, thank you Scot! (From an old client of yours, Michelle.)

    By Anonymous Anonymous, at 12:44 am  

  • Even after adding the Authenticated Users group to the permissions list for C:\Inetpub\wwwroot\WRM\_wmcs\Certification\ServerCertification,
    FACING SAME ERROR.
    NEED HELP ASAP.

    By Blogger Umesh, at 10:53 am  

  • I am faceing the same problem.
    So kindly provide the solution for it.

    Thanks in Advance

    By Blogger Nimesh, at 3:29 pm  

  • Hi,

    I solved this by adding the Service account for MOSS to the RMS Service Group and adding it to the ACL for ServerCertifications.asmx

    Hope this helps,

    Adrian G

    By Anonymous Adrian G, at 6:43 am  

  • Make sure that you are giving the proper account Read/Read + Execute permissions. You need to go into the App Pools on the MOSS server, and make sure that the ACE you are adding to the ACL on servercertification.asmx, matches the identity on the default Sharepoint apppool. You also need to all permissions from parent to propogate to the ServerCertification.asmx file.

    http://blogs.technet.com/rmssupp has some information about this.

    By Anonymous Anonymous, at 2:33 pm  

  • you just need to Add MOSS Farm Service Account to RMS Service Group on the RMS Server that is all

    By Anonymous FG, at 11:18 am  

  • Adding the moss service account to the ACL on servercertification.asmx should do the trick, as on the central administration page is logged in using the moss service account.
    It should work like a charm.
    Regards
    Kamol Sagwan

    By Blogger KaMoL & SoPhiE, at 11:55 pm  

  • Exactly the same problem here!! any good news?

    By Anonymous luisitop, at 5:53 am  

  • Tried all of the above...still no luck

    By Anonymous Prasad, at 10:44 am  

  • Just got the same problem, the above "Adding the moss service account to the ACL on servercertification.asmx should do the trick" comment solved it for me.

    Thanks!!!

    By Blogger Erez, at 10:04 pm  

  • Interesting. I have two independent/separate SharePoint/RMS environments. One of them required the machine accounts to have access to servercertifications.asmx and it worked fine. The other one didn't work until I also added Authenticated Users to the file.

    By Anonymous Anonymous, at 9:34 pm  

  • Hi There,

    i had similiar problems. Just gave "_wmcs" folder modify permissions for Sharepoint Computer account and problem solved! Make sure that, permission inherits.

    By Blogger Yasin UZMAN, at 1:31 pm  

  • We just ran into this issue too and the definitive solution is to follow the guide on setting up sharepoint with ADRMS (i.e. add the server accounts and worker process account to the .asmx file) then delete the IRM licenses that sharepoint has acquired and force it to start again.

    It's explained here: http://technet.microsoft.com/en-us/library/cc560972(office.12).aspx

    And that solve it for us!

    By Blogger NiXC, at 2:28 pm  

  • The key is to make sure that when you right-click on the ServerCertification.asmx file and select properties, go to the security tab, choose "Advanced" and then check the box "Include inheritable permissions from this object's parent". This may be a Windows 2008 Server issue, because for whatever reason the files under the "certification" directory" do not automatically inherit the permissions. Another point to consider...you don't have to explicitly give the MOSS Farm domain service account permissions on the ServerCertification.asmx file itself...all you have to do is add the MOSS FARM domain service account to the local "AD RMS Service Group" on the server that hosts the AD RMS service. This should get rid of the dreaded permission refused error.

    By Anonymous Anonymous, at 11:56 pm  

Post a Comment

<< Home