Solved

Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate

Posted on 2008-10-10
14
13,129 Views
1 Endorsement
Last Modified: 2012-05-05
Hi
I am New to RMS, I had install WIndows Server 2008 64Bit that host AD DNS, and VMWARE that is running a Server 2008 that will run RMS Server (its a lab)
after the installation of RMS in the VMWARE Machine finished I got this log
Active Directory Rights Management Services: Installation succeeded with errors
   Error: Attempt to configure Active Directory Rights Management Server failed.  The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.    at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy()
   at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName)
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll()
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data)
   at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted)
   at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
Remove and re-install AD RMS to attempt provisioning again.



After Openning RMS I get the Following Error
AD RMS Administrator Server Fail Because the value of "AdminLocalConnectionPoint" Under registry Key
"HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DRMS\2.0" was invalid




Log Name:      Application
Source:        Active Directory Rights Management Services
Date:          10/9/2008 9:21:00 AM
Event ID:      204
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      rms.farisnt.local
Description:
Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy.
.
.
.

Microsoft.RightsManagementServices.DecideCertificateHierarchyFailException
        Message: The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.
  + System.Net.WebException
  +         Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
      + System.Security.Authentication.AuthenticationException
      +         Message: The remote certificate is invalid according to the validation procedure.
</Data>
  </EventData>
</Event>

what can I do to fix this
THanks
1
Comment
Question by:Housammuhanna
  • 6
  • 3
14 Comments
 
LVL 9

Author Comment

by:Housammuhanna
Comment Utility

NOTE That there is no CA installed in the lab
 also I try both HTTPS and HTTP while installing the RMS but all return the same result
0
 
LVL 9

Author Comment

by:Housammuhanna
Comment Utility
ATTENTION, I had ask about 5 Q Non of them has been answer, whats up expert
0
 
LVL 1

Expert Comment

by:KentFire
Comment Utility
I am also experiencing this problem and would appreciate an answer!!    How can you delete a SCP when the server no longer exists?  Can it be manually removed somehow?
Thanks
0
 
LVL 1

Accepted Solution

by:
KentFire earned 500 total points
Comment Utility
Hi Vee_Mod,
Thanks for posting a response.  In the meantime I have managed to find a solution to my question and will explain it below for future reference:
I wanted to manually delete the SCP as everytime I tried to reinstall RMS it complained that a SCP already existed (and also gave the certificate hierarchy message).  I found this blog http://blogs.msdn.com/rms/ which provided the answer.
Basically I had to download the RMS admin toolkit onto my PC and then run the following command to delete the SCP from AD:
ADScpRegister unregisterscp <URL to unregister>
Prior to using the command I also used ldp to connect to AD so I could double-check the url and also to check that it was successfully deleted.  Once the command was run I was able to reinstall RMS with no problems.
Hope this helps,
Thanks
0
 
LVL 9

Author Comment

by:Housammuhanna
Comment Utility
HI all and thanks
I wont be able to answer before 3 days as I am away from the server, I will for sure test this when I come back

THanks

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 9

Author Comment

by:Housammuhanna
Comment Utility
OK
I am back again
THanks for your time
I will try it today and post the reply again
I am very sory for th Delay
0
 
LVL 9

Author Comment

by:Housammuhanna
Comment Utility
HIIIIIIIIIIIIIIIIIIIIIIII
THANKS KentFire for your Reply
I try it and it work fine, I dont know if that was the Fix
I ran the command
C:\>ADScpRegister.exe unregisterscp https://main.farisnt.local:443/_wmcs/certificationasdasdasd
Is this sentence correct
I had remove the RMS and reinstall it and now its working fine,
I use HTTP while installing, I dont know if this problem will appear if I remove the RMS and Reinstall it using HTTPS
I Will offer the point to KentFire and then later will try to remove it and install it using HTTPS
Thanks
0
 
LVL 9

Author Closing Comment

by:Housammuhanna
Comment Utility
Thanks , I will later try it also using HTTPS
0
 
LVL 1

Expert Comment

by:KentFire
Comment Utility
Housammuhanna,
Many thanks for the point and glad you got it sorted in the end.
Cheers.
0
 

Expert Comment

by:Netways
Comment Utility
Hi,

Where should i run that command
ADScpRegister unregisterscp <URL to unregister>
i have same problem, and when everytime i run this command, i'm given a message indicating that ADScpRegister is not recognized as an internal or external command.

Please advise,,,
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now