Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate

Posted on 2008-10-10
14
Medium Priority
?
13,503 Views
1 Endorsement
Last Modified: 2012-05-05
Hi
I am New to RMS, I had install WIndows Server 2008 64Bit that host AD DNS, and VMWARE that is running a Server 2008 that will run RMS Server (its a lab)
after the installation of RMS in the VMWARE Machine finished I got this log
Active Directory Rights Management Services: Installation succeeded with errors
   Error: Attempt to configure Active Directory Rights Management Server failed.  The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.    at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy()
   at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName)
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll()
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data)
   at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted)
   at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
Remove and re-install AD RMS to attempt provisioning again.



After Openning RMS I get the Following Error
AD RMS Administrator Server Fail Because the value of "AdminLocalConnectionPoint" Under registry Key
"HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DRMS\2.0" was invalid




Log Name:      Application
Source:        Active Directory Rights Management Services
Date:          10/9/2008 9:21:00 AM
Event ID:      204
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      rms.farisnt.local
Description:
Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy.
.
.
.

Microsoft.RightsManagementServices.DecideCertificateHierarchyFailException
        Message: The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.
  + System.Net.WebException
  +         Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
      + System.Security.Authentication.AuthenticationException
      +         Message: The remote certificate is invalid according to the validation procedure.
</Data>
  </EventData>
</Event>

what can I do to fix this
THanks
1
Comment
Question by:Housammuhanna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
14 Comments
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22686311

NOTE That there is no CA installed in the lab
 also I try both HTTPS and HTTP while installing the RMS but all return the same result
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22706325
ATTENTION, I had ask about 5 Q Non of them has been answer, whats up expert
0
 
LVL 1

Expert Comment

by:KentFire
ID: 22710192
I am also experiencing this problem and would appreciate an answer!!    How can you delete a SCP when the server no longer exists?  Can it be manually removed somehow?
Thanks
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Accepted Solution

by:
KentFire earned 2000 total points
ID: 22740772
Hi Vee_Mod,
Thanks for posting a response.  In the meantime I have managed to find a solution to my question and will explain it below for future reference:
I wanted to manually delete the SCP as everytime I tried to reinstall RMS it complained that a SCP already existed (and also gave the certificate hierarchy message).  I found this blog http://blogs.msdn.com/rms/ which provided the answer.
Basically I had to download the RMS admin toolkit onto my PC and then run the following command to delete the SCP from AD:
ADScpRegister unregisterscp <URL to unregister>
Prior to using the command I also used ldp to connect to AD so I could double-check the url and also to check that it was successfully deleted.  Once the command was run I was able to reinstall RMS with no problems.
Hope this helps,
Thanks
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22744173
HI all and thanks
I wont be able to answer before 3 days as I am away from the server, I will for sure test this when I come back

THanks

0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22780437
OK
I am back again
THanks for your time
I will try it today and post the reply again
I am very sory for th Delay
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22788696
HIIIIIIIIIIIIIIIIIIIIIIII
THANKS KentFire for your Reply
I try it and it work fine, I dont know if that was the Fix
I ran the command
C:\>ADScpRegister.exe unregisterscp https://main.farisnt.local:443/_wmcs/certificationasdasdasd
Is this sentence correct
I had remove the RMS and reinstall it and now its working fine,
I use HTTP while installing, I dont know if this problem will appear if I remove the RMS and Reinstall it using HTTPS
I Will offer the point to KentFire and then later will try to remove it and install it using HTTPS
Thanks
0
 
LVL 9

Author Closing Comment

by:Housammuhanna
ID: 31504990
Thanks , I will later try it also using HTTPS
0
 
LVL 1

Expert Comment

by:KentFire
ID: 22874768
Housammuhanna,
Many thanks for the point and glad you got it sorted in the end.
Cheers.
0
 

Expert Comment

by:Netways
ID: 26094180
Hi,

Where should i run that command
ADScpRegister unregisterscp <URL to unregister>
i have same problem, and when everytime i run this command, i'm given a message indicating that ADScpRegister is not recognized as an internal or external command.

Please advise,,,
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question