Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
- FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC).
This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipeline" at http://go.microsoft.com/fwlink/?LinkId=186951.
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from
Protocols.SoapException: System.Web.Services.Protocols.SoapException: Exception of type 'System.Web.Services.
Protocols.SoapException' was thrown. ---> Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException: Exception of type 'Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException' was thrown.
--- End of inner exception stack trace ---
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)
at Microsoft.DigitalRightsManagement.Certification.ServerCertificationWebService.Certify(CertifyParams requestParams)
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)
at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)
at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)
Exchange server was 2013 and patched on a Windows 2012 R2 server
This issue was because the environment had an RMS server in the past that had been decommissioned. The Exchange server that was failing to use RMS was doing so because it already had machine certificates. The fix was to backup these cache files, and reboot the Exchange server, then the command passed and it rebuilt the cached files using the new RMS instance. Of course, the old instance was Type 1 Cryptographic mode, hence the mismatch error.
- On the impacted Exchange server, go to c:\ProgramData\Microsoft\DRM\Server (Server is a hidden folder, so you need to specify it)
- You will see SID's like below in there. I just moved both into a new subfolder for now. You can see an example of the content of these folders below as well.
- Reboot the Exchange server
- Re-test the Test-IRMConfiguration
Post a Comment