Hi,

I have installed a AD RMS server role to a dedicated server and followed these instructions: http://technet.microsoft.com/en-us/library/cc753531(v=WS.10).aspx

I have a domain let say contoso.com and servers are: ADRMS.contoso.com(MS Server 2012), DC1.contoso.com(MS Server 2008 R2) and DB1.contoso.com(MS Server 2008 R2).

I have configured the AD RMS service to use URL https://rms.conto.com and redirections are done by network traffic controller and DNS which converts the requested address to specific IP(FQDN:ADRMS.contoso.com). It uses HTTPS/SSL. I can logon localy to ADRMS cluster console(Add Cluster>Remote Computer) from the server with the URL rms.conto.com(required a regedit) and also can connect from client machines to https://rms.conto.com/_wmcs/certification/certification.asmx and https://rms.conto.com/_wmcs/licensing/license.asmx. Though I am unable to logon locally to the cluster console using Add Cluster>Local Computer.

SCP is created to DC1 with serviceBindingInformation = https://rms.conto.com/_wmcs/certification

Problem is that when I open Word 2010 and create a document and try to do a Restrict Permission by People>Restrict Access, it only offers me Microsoft Live ID or Windows Account. If I choose Windows Account it has problem contacting "restricted permission service".

Have tried to clear DRM folder from %localAppData%\Microsoft\DRM but no help.

I also happed to notice a strange log at the ADRMS-server: 

This Active Directory Rights Management Services (AD RMS) cluster cannot perform an operation on one of the AD RMS databases. Ensure that all AD RMS databases are operating correctly on the network and that the AD RMS service account has read and write permissions to the databases.

Parameter Reference
Context: STATIC
RequestId: N/A
HelpLink.ProdName: Microsoft SQL Server
HelpLink.EvtSrc: MSSQLServer
HelpLink.EvtID: 18456
HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
HelpLink.LinkId: 20476
SqlError-0.State: 1
SqlError-0.Class: 14
SqlError-0.Server: DB1
SqlError-0.Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
SqlError-0.Number: 18456

Microsoft.RightsManagementServices.LowSeveritySqlException
        Message: The Database Engine threw this exception in response to an error that can be corrected by the user, such as a missing database object or entity, possible data inconsistency, transaction deadlock, security setting problems, or SQL command syntax error.  Please examine the SqlError details for more information.
        HelpLink.ProdName: Microsoft SQL Server
        HelpLink.EvtSrc: MSSQLServer
        HelpLink.EvtID: 18456
        HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
        HelpLink.LinkId: 20476
        SqlError-0.State: 1
        SqlError-0.Class: 14
        SqlError-0.Server: DB1
        SqlError-0.Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
        SqlError-0.Number: 18456
  + System.Data.SqlClient.SqlException
  +         Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
  +         HelpLink.ProdName: Microsoft SQL Server
  +         HelpLink.EvtSrc: MSSQLServer
  +         HelpLink.EvtID: 18456
  +         HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
  +         HelpLink.LinkId: 20476

Why it tries to connect to SQL server(DB1) with Anonymous -account? I have installed AD RMS with ADRMSADMIN -account(with correct permissions) and configured it to use ADRMSSRVC -account as service account.

Other thing is that I can't change that service account with ADRMSADMIN from the ADRMS -console because the "Next" is grey all the time. I always have to log in to management console using "remote" cause "local machine" gives me error message. Probably this is because the cluster address is different than the machine name that is hosting the service(AD RMS -server role).

Client computer have Windows7+Office 2010 Professional Plus. Client computers does not have these registry keys:HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM , HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\MSDRM but have this: HKEY_LOCAL_MACHINE\Software\Microsoft\DRM but empty.

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM is present and has "CachedCorpLicenseServer" and "ServiceLocations" with correct url values. Should the ServiceLocations be named like "1|2|" 2|2|?

Any ideas on this issue? Is there some crucial information missing here that could help you pinpoint the reason for this behavior?

Anything guys?

-- Cross-post --

Hi JouniPK,

I think we share a similar problem, at least I get a similar outcome, but in a different configuration. The login I get in Word 2010 is a popup box for Windows Live ID. See my post about "Azure AD RMS and Office 2010".

I am interested in a solution for a mixed user environment: internal users in an Office 365 / Sharepoint Online domain, plus external users with an individual Microsoft account (name@outlook.com). We don't have an on-premises Active Directory server for this purpose and prefer not to install it.

Is the problem that the domains are different between server FQDNs and the site? Now with the new Office 2013 Word when I try to protect the document with ADRMS(protect document>restrict access>connect to digital rights management servers and get templates) I get a promt "Sorry, something went wrong opening Information Rights Management protected content. The request is not supported"

Hi JouniPK,

AD RMS creates an SCP during installation, and only one SCP can exist per forest. This SCP provides automatic discovery of the RMS Cluster URL, this URL should be : https://rms.contoso.com:433 ... (rms alias for yr adrms.contoso.com)

 So you have to check this URL on yr DC (ADSIEdit.msc) and on yr RMS (Cluster properties).

Good luck,

Checked the SCP on our AD and it is the same as the ADRMS cluster URL. But I haven't used the port number after the domain part (:443). Is that the problem? Installation of the ADRMS cluster created that SCP and it can be found on client computer register but not sure which keys are the correct ones and are there some missing.

Ran the IRMCheck and it got me the following report:

Also ran the sigverif -tool to check that there is any unverified files in the system but didn't find any. Office 2013 is succesfully installed and running.

Disabled "ASP.NET Impersonation" from cluster server IIS and now getting somewhere when trying to restrict access to a Word document.

Services is now working propably how it should but now there is a problem with templates not distributing properly and Office 2013. After spending lots of hours figuring out and reading MS ADRMS insructions found out that difference between rms clients in Office 2010 and 2013 is that those use different template folders and that registry keys are found under MSIPC.

On top of that Office versions use different template folders Office 2010 does not know how to figure out Cryptographic Mode 2. Needed to install this hotfix:http://support.microsoft.com/kb/2627273  to get it working with both Office versions.