Resources For IT Professionals
Post an article
Wikis - Page Details
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  AD RMS: Test-IRMConfiguration Command Fails with UnsupportedCryptographicSetException

AD RMS: Test-IRMConfiguration Command Fails with UnsupportedCryptographicSetException

AD RMS: Test-IRMConfiguration Command Fails with UnsupportedCryptographicSetException

Situation

Configuring Exchange 2010 IRM integration with AD RMS succeeds. Testing the configuration (with the Test-IRMConfiguration command) does not.

Test-IRMConfiguration -Sender user1@contoso.com fails acquiring rights account certificate (RAC) and client licensor certificate (CLC).

Error messages

Exchange console

Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
    - FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC).
This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipeline" at  http://go.microsoft.com/fwlink/?LinkId=186951.
----------------------------------------
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from
Protocols.SoapException: System.Web.Services.Protocols.SoapException: Exception of type 'System.Web.Services.
Protocols.SoapException' was thrown. ---> Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException: Exception of type 'Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException' was thrown.
   --- End of inner exception stack trace ---
   at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)
   at Microsoft.DigitalRightsManagement.Certification.ServerCertificationWebService.Certify(CertifyParams requestParams)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
   at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)
   at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)
   at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)
   at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()

AD RMS server certification pipeline logging


Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException    
Message: The given certificate does not contain an acceptable combination of asymmetric key and signature hash algorithms. 
StackTrace:
at Microsoft.DigitalRightsManagement.Certification.Pipeline._VerifyMachineCertificateChain(String[] machineCertificateChain, CAType caType)    
at Microsoft.DigitalRightsManagement.Certification.Pipeline.Certify(CAType caType, CertifyParams[] requestParameters, HttpRequest request, IIdentity userIdentity) 
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.PipelineCertify(CAType caType, String userName, String[] machineCertificateChain, Boolean persistent)   
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)

CAUSE

AD RMS Cryptographic Mode 2 was enabled but the Exchange server OS was not patched.

RESOLUTION

Install the appropriate patch on the server OS.

MORE INFORMATION: Cryptographic Mode 2 changes the signature support from SHA-1 to SHA-256 and the signature and encryption support from RSA 1024 to RSA 2048. AD RMS server must be 2008 R2 SP1 and clients must be Windows Vista SP2 or higher. Both server and client require an additional software update to support Cryptographic Mode 2. Exchange 2010 requires at least SP3 to support Cryptographic Mode 2.

See also

, , [Edit tags]
Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 14 May 2013 8:05 AM

    Peter Geelen - MSFT edited Revision 3. Comment: Layout consolidation

  • 14 May 2013 7:53 AM

    Steve Light - MSFT edited Revision 2. Comment: Added link for KB 2627272

  • 18 Mar 2013 10:49 AM

    Steve Light - MSFT edited Original. Comment: Fixed some formatting and added some links for resources

Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 18 Mar 2013 10:49 AM

    Steve Light - MSFT edited Original. Comment: Fixed some formatting and added some links for resources

  • Posted by
    on 14 May 2013 7:53 AM

    Steve Light - MSFT edited Revision 2. Comment: Added link for KB 2627272

  • Posted by
    on 14 May 2013 8:05 AM

    Peter Geelen - MSFT edited Revision 3. Comment: Layout consolidation

Page 1 of 1 (3 items)