Adventures with AD RMS

22 Feb

Adventures with AD RMS

I was setting up a test environment to demostrate Active Directory Rights Management Services (AD RMS). I did almost similar to what was described in this AD RMS Step-by-Step guide. I am using Windows Server 2008 R2 and Office 2007 SP2.
After the installation, everything in AD RMS checks out fine and all web services exposed were accessible. Then comes the verification part. I fired up Microsoft Word and proceeded to “Restrict Access” to my dummy document.
Word attempted to contact the RMS server and prompted me to logon. Then it prompted me to choose whether I want to use a Windows Live ID or Use a Windows Account. Something is really not right here. After choosing to Use a Windows Account, it immediately prompt the following error:
Unexpected error occurred. Please try again later or contact your system administrator.

I knew this was an issue with Office 2003 through this KB 978551 but I am using Office 2007 and should not be affected by it.
Checking Event Viewer, I found the following entry:

Active Directory Rights Management Services (AD RMS) failed to query Active Directory Domain Services (AD DS).
Parameter Reference Context: Pipeline[CertificationPipeline._GetPrincipalIdentifier] RequestId: {e665dcd5-628a-4065-b750-9bf63eae4c4a}.3:1 principal: id=S-1-5-21-2703830053-610683855-216367768-500 desiredIdentifier: primarymail result: null
Microsoft.DigitalRightsManagement.Utilities.ADEntrySearchFailedException Message: Failed to find an entry in the Active Directory: id=S-1-5-21-2703830053-610683855-216367768-500. Context: CertificationPipeline._GetPrincipalIdentifier principal: id=S-1-5-21-2703830053-610683855-216367768-500 desiredIdentifier: primarymail result: null

I did a search and followed through everything stated in this technet article. I wasted almost two days of life trying to solve the issue when I suddenly realised the desiredIdentifier: primarymail text in the log. I went to make sure that I had an email address in AD RMS but the problem still persisted.
I then went to check the user accounts and discovered that they don’t have e-mail addresses. I entered the email addresses and Whalla! Everything works fine!
Now, I just don’t understand why they can’t prompt more meaningful error messages? That would have saved a lot of trouble.

Posted by on February 22, 2012 in IRM(RMS)


2 responses to “Adventures with AD RMS


    February 1, 2013 at 9:08 am

    I really like your blog.. very nice colors & theme.

    Did you design this website yourself or did you
    hire someone to do it for you? Plz respond as I’m looking to construct my own blog and would like to find out where u got this from. thanks

  2. Porn

    March 19, 2013 at 7:02 am

    It is actually a nice and useful piece of info.
    I’m satisfied that you just shared this helpful information with us. Please keep us informed like this. Thanks for sharing.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: