RMS Troubleshooting: v1.x certificate expiration issues

This article applies to clusters running or being upgraded from Windows Server RMS, a.k.a. RMS V.1, running on Windows Server 2003 or Windows Server 2003 R2.

This is a legacy product that is out of support. The symptoms indicated below are a result of the products end of life, this article documents work-arounds that allow customers to upgrade this product to a supported and functional version even after its expiration.

 

---

Issue

RMS v1

RMS v1 (Windows server 2003) users may be unable to create new protected content or open existing protected content. The RMS server logs the following error.

An error occurred while attempting to initialize the Windows RM Service. The following information was reported:

Microsoft.DigitalRightsManagement.Core.LicenseNotTrustedException The ISSUER of the active server licensor certificate is not trusted. The RMS server cannot process requests.

At Microsoft.DigitalRights.Management.Core.ComponentBase.InitializeValidatedLicensorCert()

At Microsoft.DigitalRights.Management.Core.ComponentBase.InitializePipelineCache()

AD RMS

Some AD RMS servers, previously upgraded from RMS v1, may encounter issues. Users may be unable to create new protected content of open existing protected content.

The AD RMS server logs an error in the application event log.

An unexpected error occurred while the computer was initializing Active Directory Rights Management Services (AD RMS) on this computer.

Microsoft.RightsManagementServices.LicenseNotTrustedException

Message: The ISSUER of the active server licensor certificate is not trusted. The AD RMS server cannot process requests.

 

---

Resolution

Please see the Notes, Links, and Screenshots sections below for details on these steps.

1. Back up the existing RMS databases (this is for rollback purposes as the databases are not used in the new server).
2. Export the trusted publishing domain (TPD) from existing RMS v1 (or AD RMS) server.
   1. If the TPD is software CSP based key see the "Managing a CSP Protected TPD" section below.
   2. If TPD export fails with an error about 'GetPossiblePluginInfos' see the "Failure exporting TPD in RMS v1" section below.
3. Remove the RMS service connection point from AD.
4. Install a new Windows Server 2012 R2 (or 2008 R2) machine.
   1. Using the same computer name is not required even if the RMS cluster URL is the original server name. All that needs to happen at the end is that DNS is configured to direct http://RmsClusterUrl to the new server's IP address. If the URL is the original server name just take the original server off network so it won't reregister it's DNS record.
5. Install and configure the AD RMS role on the new server.
   1. Use the same RMS cluster URLs as the RMS v1 installation.
      • If installing AD RMS on 2012, when prompted for the Cryptographic Mode, use Mode 1. This is the mode RMS v1 uses. You may change it to mode two at a later date. However, to ensure compatibility with the current RMS v1 environment, choose mode 1.
      • The Intranet URL is specified during the AD RMS role configuration.
      • The Extranet URLs are added in the AD RMS console after role configuration (see screenshot below).
   2. Register the SCP in AD (this should be done by the AD RMS configuration wizard).
6. Temporarily set the AD RMS server system date to 25 November 2015.
7. Import the exported trusted publishing domain (TPD) (from step 1) in XML format in the AD RMS server.
8. Set the AD RMS server date to the current date and time.

Existing rights policy templates exist as archived templates from the imported TPD. New templates must be created to be utilized on the new AD RMS server.

 

Notes

• Enterprise Administrator rights are required to remove and register the SCP.
• The SCP container is named RightsManagementServices. It resides in the configuration partition of the forest. A sample DN for the SCP container is "CN=RightsManagementServices,CN=Services,CN=Configuration,DC=cpandl,DC=com."
• The original RMS databases will NOT be reused.

 

---

Links

• Back up RMS configuration database
• Export SLC, TUD, TPD and RMS private key (RMS v1)
• AD RMS How To: Export TUD and TPD keys
• Install AD RMS Server Role
• Add a Trusted Publishing Domain

 

---

Screenshots

Exporting TPD in RMS v1

 

SCP in AD

 

Extranet URL configuration

 

---

Miscellaneous

Failure exporting TPD in RMS v1

If an AD RMS upgrade to RMS v1 was attempted in an effort to fix this issue further attempts to export the TPD from the RMS v1 server may fail.

The following error is received. 

"Could not find stored procedure 'GetPossiblePluginInfos'."

 This is caused by the AD RMS upgrade attempt updating the RMS databases. RMS v1 cannot use the updated DBs. Please restore the RMS v1 databases and do an IIS reset on the RMS v1 server. The TPD may now be exported.

Managing a CSP Protected TPD

As software stored TPD cannot be exported and imported only in the GUI. The GUI export and the steps below are required to export the TPD. The same two actions are required to import the TPD on the new server as well. The following is from the "Export and install a software-based CSP key" content on TechNet.

The sample below uses .Net v2 for the export and .Net v4 for the import. New AD RMS servers may not have .Net v2 framework installed so we use the v4 framework. Please adjust the commands as needed for your specific configuration.

The RMS v1 interface displays the key container for the TPD.

The following commands export the TPD from the RMS server and import it on the AD RMS server.

Export it from RMSv1

c:\windows\microsoft.net\Framework\v2.0.50727\aspnet_regiis.exe -px "_DRMS:MS-GUID:{86391933-c64704c09-bbee-1b63c49538d5}" c:\privatekey.xml -pri

Import it to AD RMS

c:\windows\microsoft.net\Framework\v4.0.30319\aspnet_regiis.exe -pi "_DRMS:MS-GUID:{86391933-c64704c09-bbee-1b63c49538d5}" c:\privatekey.xml -exp

---