SharePoint 2010 and IRM Integration
This was a very odd corner case. It started with a problem configuring IRM integration on a SharePoint 2010 server.
In the SharePoint 2010 Central Administration portal while specifying the Information Rights Management settings the following error occurs.
"The required Windows Rights Management client is present but the server could not be accessed. IRM will not work until the server is accessible."
Two application events appear on the SharePoint server.
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 5056
Task Category: Information Rights Management (IRM)
Level: Critical
Keywords:
User: CONTOSO\SharePoint_svc
Computer: sp01.contoso.com
Description:
Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.
Possibly an HTTP 401 error (an authentication error) was returned by an Internet request.
Additional Data
Error value: 0x1419bc40
Server URL: https://adrms/_wmcs/certification
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 5133
Task Category: Information Rights Management (IRM)
Level: Critical
Keywords:
User: CONTOSO\SharePoint_svc
Computer: sp01.contoso.com
Description:
Information Rights Management (IRM): There was a problem while obtaining a Rights Management Services (RMS) group identity certificate (GIC).
A GIC is an essential credential that allows a user to read/view rights protected documents.
Additional Data
Error value: 0x8004cf43
The following items were logged in the IIS logs on the RMS server.
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 15
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
POST /_wmcs/certification/ServiceLocator.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
POST /_wmcs/certification/ServerCertification.asmx - 443 - Windows+Rights+Management+Client 500 0 64 0
A network trace shows the following pattern.
The Cause
This turned out to be client certificates in an SSL setting was configured to accept. This is an IIS setting on the RMS server. It may be configured on a site (e.g. Default Web Site), on a sub-site (e.g. \_wmcs\certification), or even a file, such as certification.asmx. In my particular case it was set on the certification site container. Setting the value back to ignore resolved the issue.
The following screenshots provide an example of the configuration options.
I’d not seen this before. The 500 return codes in the IIS logs kept pointing me towards anonymous authentication being enabled somewhere. Or that the SharePoint service account did have sufficient permissions to the various .asmx files. I finally stumbled across the possible setting as the culprit.
Update: Several folks have reached out to me. I was not extremely clear on how I flopped between content/features views in IIS. Please allow me to address this below.
The following screenshots provide a walkthrough on how I exposed the features view of certification.asmx in IIS.
_4.png "IIS_Views (1)")
_4.png "IIS_Views (2)")
_4.png "IIS_Views (3)")
_4.png "IIS_Views (4)")
_4.png "IIS_Views (5)")