UPDATE: This issue and a related Office 2010 application hang was fixed with the following patch:
Please let us know if there are still issues AFTER installing this.
So you installed KB2584066. You're minding your own business trying to RMS protect some content, and BAM!
"An unexpected error has occurred while trying to restrict permissions to your document. Contact your administrator for assistance."
You shake your fist in the air, and wonder if you really want to talk to your administrator. He drinks alot of coffee, smokes, and violates your personal space when talking. Arghh..
Well, I'll save you the trip and you can copy and paste this to him, OR if you are the administrator grab your mints and read-on.
The problem is with the RMS URLs.
If you have a certification or licensing URL that contains a :443 you will have problems.
Office tries to match up CLC certificates with RACs by matching up the RMS URL embedded in those certs. If the certification cert has a :443, but the licensing cert doesn't then you'll hit this error.
I've fixed (err...worked around) this for a few customers recently, and the Office team is actively pursuing a fix.
I like to fix (ahem..work around) this issue by permanently fixing the ADRMS install so they dont have to worry about string comparisons within office. The upside is that once you do this procedure you don't have to worry about this problem that has been around since Office 2003. The downside is that you will need to write a logon script that removed all of your users %localappdata%\Microsoft\DRM\*.drm files so they can re-bootstrap, AND you will most likely need to Archive and recreate your RMS Templates if you are using them. If this sounds like a good trade off for a faster solution then follow along. Otherwise call support and see what other options exist.
Tip: If you want to test to see if this is your issue simply go into the users %localappdata%\Microsoft\DRM folder and edit the GIC-...file. Remove any:443 that is in there and save it. Try the application again. If it works...thats the problem. If it doesn't, it's probably something else.
1.) Go to the ADRMS server and open the ADRMS console.
2.) Right Click on the Server name, and go to Properties.
3.) Go to the 'SCP' tab and remove the SCP.
Skip to step 7 if you already have an extranet URL and your licensing URLs don't contain a :443.
4.) Go to the Cluster URLs tab, and check the box for 'Extranet URLs'
5.) Put the word 'test' in each of these and hit apply.
6.) Uncheck the 'Extranet URLs' box, and hit Apply, then OK.
7.) Close the ADRMS Console
8.) Re-open the ADRMS console
9.) Right Click on the server name>Properties>SCP Tab, and register the SCP.
- Check your RMS settings now and make sure that no :443 exists in any of the cluster URLs.
10.) Go to Regedit and create this key. (on each server)
HKLM/Software/Microsoft/DRMS (on 2008 you may have a 2.0 key under here..use that instead)
11.) Go to an Administrative command prompt and issue an IISRESET command. (on each server)
12.) Go to client PC and delete the %localappdata%\Microsoft\DRM folder.
13.) Close all office apps.
14.) Try again.
Note if you have templates do the following.
1.) Go to RMS server
2.) Go to templates section and archive all your templates by right clicking and choosing the archive option.
3.) Click on each template and choose Copy, to create a copy.
4.) Rename the new templates with a slightly different name. (You can't have two templates with the same name).
5.) Right click on the new template and choose to Distribute the template.
6.) Push these out to your users.
The last option is to wait for a patch for this patch (potentially written by a guy named Patch, wearing an eye patch, while conquering his cigarette addiction with a nicotine patch), and actually to open a support case to make sure you are notified as soon as it is fixed (bug issues are free). If you do the steps above, it won't matter either way because you won't be affected by any of the problems that require a patch to the patch.
Hope this helps.