Adventures with AD RMS

I was setting up a test environment to demostrate Active Directory Rights Management Services (AD RMS). I did almost similar to what was described in this AD RMS Step-by-Step guide. I am using Windows Server 2008 R2 and Office 2007 SP2.

After the installation, everything in AD RMS checks out fine and all web services exposed were accessible. Then comes the verification part. I fired up Microsoft Word and proceeded to "Restrict Access" to my dummy document.

Word attempted to contact the RMS server and prompted me to logon. Then it prompted me to choose whether I want to use a Windows Live ID or Use a Windows Account. Something is really not right here. After choosing to Use a Windows Account, it immediately prompt the following error:

Unexpected error occurred. Please try again later or contact your system administrator.

I knew this was an issue with Office 2003 through this KB 978551 but I am using Office 2007 and should not be affected by it.

Checking Event Viewer, I found the following entry:

Active Directory Rights Management Services (AD RMS) failed to query Active
Directory Domain Services (AD DS).

Parameter Reference
Context: Pipeline[CertificationPipeline._GetPrincipalIdentifier]
RequestId: {e665dcd5-628a-4065-b750-9bf63eae4c4a}.3:1
principal: id=S-1-5-21-2703830053-610683855-216367768-500
desiredIdentifier: primarymail
result: null

Microsoft.DigitalRightsManagement.Utilities.ADEntrySearchFailedException
Message: Failed to find an entry in the Active Directory:
id=S-1-5-21-2703830053-610683855-216367768-500.
Context: CertificationPipeline._GetPrincipalIdentifier
principal: id=S-1-5-21-2703830053-610683855-216367768-500
desiredIdentifier: primarymail
result: null


I did a search and followed through everything stated in this technet article. I wasted almost two days of life trying to solve the issue when I suddenly realised the desiredIdentifier: primarymail text in the log. I went to make sure that I had an email address in AD RMS but the problem still persisted.

I then went to check the user accounts and discovered that they don't have e-mail addresses. I entered the email addresses and Whalla! Everything works fine!

Now, I just don't understand why they can't prompt more meaningful error messages? That would have saved a lot of trouble.

No comments:

Post a Comment

Popular Post