Service Not Available Error When Downloading IRM Document from SharePoint 2010

  • Article

Had kind of an interesting problem this week.  I installed Active Directory Rights Managment Services (AD RMS) in my environment, and then of course went ahead and turned it on in SharePoint - enabled it in Central Admin and then set up a policy in a doc lib.  The first time I tried downloading a document from an IRM protected library Word first prompted me with a dialog telling me it would need to validate my license with my AD RMS server.  It then came back and told me that it couldn't connect to the license server (which is just an HTTPS SOAP endpoint) and the service might be unavailable, I might need to configure a proxy server, etc.  So, I tried hitting the Url in the browser that Word said it was going to in order to validate the license.  It came up fine.  Hmm...

I wasn't sure what was happening during this "license validation" check so I went ahead and fired up Fiddler (www.fiddler2.com) so I could see what was going on.  Of course, as soon as I did this, Word opened up the document no problem.  Grrr!!  I suspected that something about the way Fiddler decrypts HTTPS traffic (it inserts it's own SSL cert in the channel) was a factor but couldn't really figure out what was wrong - after all, the site opened fine in IE, it was using a domain-issued wildcard cert that I've used on a number of other servers in my farm, etc.  After a bunch of back and forth with some other people on things to try and look at, I followed one of their suggestions and unchecked the Fiddler option to ignore certificate errors.  Once I did this, the Word would not open the document anymore even with Fiddler running.

In the course of trying a million and one different things (because there was no straight-forward error description), on a whim I went ahead and removed my domain wildcard cert from the RMS HTTPS endpoint, and issued a new cert specifically for that server's fully qualified domain name.  I recycled the IIS virtual server and then went back to try and download the document from SharePoint.  Shazam!!  It worked.  So the net of this is that if you are using AD RMS with SharePoint (or any client app really) I would not recommend using a wildcard cert for the AD RMS licensing service SOAP endpoint.