Solved

Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate

Posted on 2008-10-10
14
13,424 Views
1 Endorsement
Last Modified: 2012-05-05
Hi
I am New to RMS, I had install WIndows Server 2008 64Bit that host AD DNS, and VMWARE that is running a Server 2008 that will run RMS Server (its a lab)
after the installation of RMS in the VMWARE Machine finished I got this log
Active Directory Rights Management Services: Installation succeeded with errors
   Error: Attempt to configure Active Directory Rights Management Server failed.  The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.    at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy()
   at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName)
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll()
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data)
   at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted)
   at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
Remove and re-install AD RMS to attempt provisioning again.



After Openning RMS I get the Following Error
AD RMS Administrator Server Fail Because the value of "AdminLocalConnectionPoint" Under registry Key
"HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DRMS\2.0" was invalid




Log Name:      Application
Source:        Active Directory Rights Management Services
Date:          10/9/2008 9:21:00 AM
Event ID:      204
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      rms.farisnt.local
Description:
Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy.
.
.
.

Microsoft.RightsManagementServices.DecideCertificateHierarchyFailException
        Message: The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.
  + System.Net.WebException
  +         Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
      + System.Security.Authentication.AuthenticationException
      +         Message: The remote certificate is invalid according to the validation procedure.
</Data>
  </EventData>
</Event>

what can I do to fix this
THanks
1
Comment
Question by:Housammuhanna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
14 Comments
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22686311

NOTE That there is no CA installed in the lab
 also I try both HTTPS and HTTP while installing the RMS but all return the same result
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22706325
ATTENTION, I had ask about 5 Q Non of them has been answer, whats up expert
0
 
LVL 1

Expert Comment

by:KentFire
ID: 22710192
I am also experiencing this problem and would appreciate an answer!!    How can you delete a SCP when the server no longer exists?  Can it be manually removed somehow?
Thanks
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 1

Accepted Solution

by:
KentFire earned 500 total points
ID: 22740772
Hi Vee_Mod,
Thanks for posting a response.  In the meantime I have managed to find a solution to my question and will explain it below for future reference:
I wanted to manually delete the SCP as everytime I tried to reinstall RMS it complained that a SCP already existed (and also gave the certificate hierarchy message).  I found this blog http://blogs.msdn.com/rms/ which provided the answer.
Basically I had to download the RMS admin toolkit onto my PC and then run the following command to delete the SCP from AD:
ADScpRegister unregisterscp <URL to unregister>
Prior to using the command I also used ldp to connect to AD so I could double-check the url and also to check that it was successfully deleted.  Once the command was run I was able to reinstall RMS with no problems.
Hope this helps,
Thanks
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22744173
HI all and thanks
I wont be able to answer before 3 days as I am away from the server, I will for sure test this when I come back

THanks

0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22780437
OK
I am back again
THanks for your time
I will try it today and post the reply again
I am very sory for th Delay
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22788696
HIIIIIIIIIIIIIIIIIIIIIIII
THANKS KentFire for your Reply
I try it and it work fine, I dont know if that was the Fix
I ran the command
C:\>ADScpRegister.exe unregisterscp https://main.farisnt.local:443/_wmcs/certificationasdasdasd
Is this sentence correct
I had remove the RMS and reinstall it and now its working fine,
I use HTTP while installing, I dont know if this problem will appear if I remove the RMS and Reinstall it using HTTPS
I Will offer the point to KentFire and then later will try to remove it and install it using HTTPS
Thanks
0
 
LVL 9

Author Closing Comment

by:Housammuhanna
ID: 31504990
Thanks , I will later try it also using HTTPS
0
 
LVL 1

Expert Comment

by:KentFire
ID: 22874768
Housammuhanna,
Many thanks for the point and glad you got it sorted in the end.
Cheers.
0
 

Expert Comment

by:Netways
ID: 26094180
Hi,

Where should i run that command
ADScpRegister unregisterscp <URL to unregister>
i have same problem, and when everytime i run this command, i'm given a message indicating that ADScpRegister is not recognized as an internal or external command.

Please advise,,,
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question