Tuesday, April 01, 2014

Windows 2012 R2 AD RMS and Exchange 2010 SP 1 integration

I carried out the usual step by step tasks to get this done. Then I arrive at making IRM work on the mobile devices and Outlook Web App. I went with the following steps:

1. Create Domain Global Distribution Group for AD RMS Super User.
2. Added the Federation mailbox to the AD RMS Super User Group.
3. Executed the Set-IRMConfiguration cmdlet to enable IRM on the CAS server roles.

When testing with Test-IRMConfiguration -sender , the command fails at :

          Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
              - WARNING: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC
          ). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report D
          ecryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the
           Exchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Pub
          lish.asmx pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipe
          line" at  http://go.microsoft.com/fwlink/?LinkId=186951
 Looking at the provided link (http://technet.microsoft.com/library/ee849850(WS.10).aspx), it only covers Windows 2008 R2. For Windows 2012 R2, you want to do the extra step of going to the %systemdrive%\Inetpub\wwwroot\_wmcs\licensing directory  for the publish.asmx file and assign the read and read-execute permissions to Exchange Server (domain group) and AD RMS Service Group (local group on the AD RMS server). 

The publish.asmx file does not exist in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification\ directory as the link describe.

Hope it helps.


Anonymous said...

Have you resolve this problem please ?
Thanks for your answer.

Sarbjit Singh Gill said...

Yes it was solved as I listed in the post.


Anonymous said...

Ok thanks but i have always the error :(
In LogEvent i have "Account currently disabled" but it is enabled...