Avoiding provisioning insanity and skip the !@#$!* UDDI Service

For anyone provisioning RMS you know how insane you can get when things just don't seem to work. (Granted, things work as advertised 95% of the time). One thing that drives me and I'm sure alot of you crazy, is an error message that you may receive after trying to provision your server, or get a new certificate.

The dreaded:

Failed to enroll server!!

With an inner exception resembling:

The underlying connection was closed: Could not establish trust relationship with remote server.

You angrilly slap your new intern across the face in disgust, teaching them a valuable lesson in server room etiquette. "Never stand within arms length of an angry admin, when the fit is hitting the shan!"

Well before the situation escalates and you go and stomp a mudhole in your server, I'll explain whats going on, and how to avoid this noid!

A long time ago, in a galaxy far, far away Microsoft went into a joint venture with two other companies to provide a publicly available 'Active Directory' for webservices. Well, this service was scheduled to end in January of 2006. Microsoft was going to leave a read-only copy of the directory structure online for dependent services like RMS to use. What this AD provides, is along the same lines of what the SCP for RMS provides to your users. An 'automated' way to discover the location of public services (i.e. the enrollment service). This would be cool if....well I really can't think of a reason it is cool, but if the service isn't working, or the certificates have expired, or someone in the server room say's the word 'Monkey' three times fast...*you* my friend, aren't provisioning your RMS server.

So what can you do? I'll tell you, and I think everyone should do this, to skip the middleman. (Note: This service, and the enrollment service are no longer required as of Windows Server 2008. We let you self sign your certs locally to avoid things like this. How friggin' awesome is that?).

Go into your registry and set the following value:

Value: https://activation.drm.microsoft.com/enrollment/enrollservice.asmx

Go to a command prompt, and do an IISReset, and wallah. You have skipped the middleman, saved your sanity, and reduced global warming, making Al Gore a very happy man.

Now go coax your intern out of the fetal position in the corner of the server room, give them an innapropriately long hug, and whisper something random in their ear, like 'Have you ever noticed that little dogs feet smell like corn chips?', then walk away.

You have survived another day in the server room.

Hope this helps.


 Note: For more info go here:


UPDATE: If you are having trouble getting a Passport trust setup, use this registry entry



Skip to main content