In order to allow SharePoint contents to be protected by Information Rights Management features, SharePoint requires to connect to a Rights Management System (RMS). This can either be an on-premises RMS or an Azure RMS. If you’re using Azure RMS with your on-premises SharePoint farm, you need to set up some Azure RMS Connector servers.
There are several articles out there which describe the implementation of Azure RMS Connector servers quite well:
Hence, I don’t repeat the general installation steps again but directly focus on how to troubleshoot errors you might encounter during your Integration.
- Ensure that you execute RMS Connector administration tool by right-click „run as administrator“ whenever you use the tool
- Make sure, that RMS is activated in O365/Azure! If not you will receive the following error in RMS Connector installation wizard log (C:\users\<installing user>\AppData\Local\Temp):
- WsTrust Request failed with error : <S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:InvalidRequest</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang=“en-US“>Invalid Request</S:Text></S:Reason><S:Detail><psf:error><psf:value>0x80048820</psf:value><psf:internalerror><psf:code>0x80045c01</psf:code><psf:text>Invalid STS request.
- To check user name and password are correct you can use https://login.microsoftonline.com for verification
- Registry entries are done properly on SharePoint FE and Central Admin Server
- SharePoint is able to reach the RMS Connector server and service URLs without any issue
- RSA Key length update http://support.microsoft.com/kb/2627273 has been applied for Windows Server 2008 R2
- SharePoint Farm account, Web App account and Service App account have been added in RMS Connector Admin Tool
- IE proxy is configured correctly
- RMS Connector URL is part of intranet URLs list
- No Windows Firewall enabled or Antivirus solution blocking communication between SharePoint and Azure RMS Connector server
- The password of RMSConnectorAdministrator account must not be longer than 16 characters
- Check Azure/O365 configuration settings with the following Azure PowerShell commandlets:
The required Active Directory Rights Management Service Client (MSIPC.DLL) is present but not configured properly
When I was setting up my customer’s SharePoint Azure RMS Integration, I encountered the following error several times. Each time I fixed the cause, a new problem occurred which led to exactly the same message in the CA:
The very first thing to do after receiving this error is to have a look at ULS to gather more detailed Information. You may probably find one of the following entries:
- Information Rights Management (IRM): There was a problem while getting the license template issuer list after connecting to the Online RMS server instance. Error value: 0x80070032
- Information Rights Management (IRM): There was a problem while getting the license template issuer list after connecting to the Online RMS server instance. Error value: 0x8004f015
The first message (0x80070032) may have several different causes:
- HTTPS/SSL certificate not configred correctly or not recognised as trusted
- Service/machine accounts not authorized in ARMS Connector administration tool
- issue with msipc.dll version (details here: https://social.technet.microsoft.com/Forums/office/en-US/957cfe23-bee7-4b19-bb62-a8b1f71362ba/unable-to-integrate-azure-rms-connector-with-sharepoint-2013-running-on-windows-server-2008-r2?forum=rmscloud)
The second one (0x8004f015) occurred, when I tried to change my setup to utilize the production O365 tenant instead of the test tenant. The error was caused by old registry settings still pointing to the O365 test tenant. To get rid of it, follow these steps on each WFE/CA server in your farm:
- Open regedit
- locate the key HKLM:\\Software\Microsoft\MSIPC
- Delete the sub-key „Server“ – ignore the error message which might pop up but make sure that „Server“ does not contain any sub-keys or values.
- Delete the sub-key „ServiceLocation“
- Copy GenConnectorConfig.ps1 to a local directory
- Open a PowerShell as Administrator
- navigate to the location of GenConnectorConfig.ps1
- Execute „GenConnectorConfig.ps1 -ConnectorUri https://yourazurermsconnectorurl -SetSharePoint2013″ – where yourazurermsconnectorurl obviously needs to be replaced by your load balanced URL of Azure RMS Connector service.
- reboot server
RMS Connector Administrator Installation Wizard Fails Connecting to Azure Tenant
Here, the best source of hints is the installation log of the RMS Connector Administration Tool installation wizard. You can find this log file at C:\users\<installing user>\AppData\Local\Temp. The following error might occur while running the RMS Connector Administration installation wizard:
WsTrust Request failed with error : <S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:InvalidRequest</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang=“en-US“>Invalid Request</S:Text></S:Reason><S:Detail><psf:error><psf:value>0x80048820</psf:value><psf:internalerror><psf:code>0x80045c01</psf:code><psf:text>Invalid STS request.
- This error occurs, when the system time on the RMS Connector server and Azure RMS is not in sync.
- It also occurs, if the password of the RMSConnectorAdministrator account is invalid.
The second one I ruled out at first, because I could login to https://login.microsoftonline.com successfully. But when the installation wizard tries to login, the password will be XML encoded for transport. Therefore, some characters would need to be escaped but aren’t automatically. Here is a list of characters you should therefore avoid in your password: https://support.microsoft.com/en-us/kb/316063
User Attribute Requirements
A user must be authenticated against Azure RMS whenever accessing a protected document in SharePoint. In order to do this, SharePoint passes the user’s mail address from the SharePoint user profile store on to Azure RMS as the user’s identity. This implies, that the Azure RMS user represented by this mail, must be existing in Azure AD (including the same mail property).
Client Configuration Issues
Please be also aware that clients also must be configured to use RMS. If not, you will receive errors like these:
- Sorry, something went wrong! The document you tried to download could not be protected. You may need to contact the library administrator to help resolving. Error code is: 80070057
- When opening a pptx file:
In order to download and open protected documents successfully the client must be able to connect to O365/Azure and the following registry entries should be present (type DWORD with value „1“):