How to fix Test-IRMConfiguration: Failed to acquire a use license.

Question

How to fix Test-IRMConfiguration: Failed to acquire a use license.

HCN 20

Issue

Hello everyone!

When running Test-IRMConfiguration on my Exchange Server, I get the following error:

[PS] C:\Windows\system32>Test-IRMConfiguration -Sender ******@DOMAIN.com
Results : Checking Exchange Server ...
              - PASS: Exchange Server is running in Enterprise.
          Loading IRM configuration ...
              - PASS: IRM configuration loaded successfully.
          Retrieving RMS Certification Uri ...
              - PASS: RMS Certification Uri: https://DOMAIN-dc.DOMAIN.com/_wmcs/certification.
          Verifying RMS version for https://DOMAIN-dc.DOMAIN.com/_wmcs/certification ...
              - PASS: RMS Version verified successfully.
          Retrieving RMS Publishing Uri ...
              - PASS: RMS Publishing Uri: https://DOMAIN-dc.DOMAIN.com/_wmcs/licensing.
          Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
              - PASS: RAC and CLC acquired.
          Acquiring RMS Templates ...
              - PASS: RMS Templates acquired.
          Retrieving RMS Licensing Uri ...
              - PASS: RMS Licensing Uri: https://DOMAIN-dc.DOMAIN.com/_wmcs/licensing.
          Verifying RMS version for https://DOMAIN-dc.DOMAIN.com/_wmcs/licensing ...
              - PASS: RMS Version verified successfully.
          Creating Publishing License ...
              - PASS: Publishing License created.
          Acquiring Prelicense for '******@DOMAIN.com' from RMS Licensing Uri
          (https://DOMAIN-dc.DOMAIN.com/_wmcs/licensing) ...
              - PASS: Prelicense acquired.
          Acquiring Use License from RMS Licensing Uri (https://DOMAIN-dc.DOMAIN.com/_wmcs/licensing) ...
              - FAIL: Failed to acquire a use license. This failure may cause features such as Transport Decryption,
          Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync and IRM Search to not work.
          Please make sure that the account "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042" representing the
          Exchange Servers Group is granted super user permissions on the Active Directory Rights Management Services
          server. For detailed instructions, see "Add the Federated Delivery Mailbox to the AD RMS Super Users Group"
          at http://go.microsoft.com/fwlink/?LinkId=193400.
          OVERALL RESULT: FAIL

What I Have Done

First, I ensured that I have followed the steps indicated in the error message about adding federated delivery mailbox to ADRMS super users group (Link)

In Active Directory Users and Computers, under Users, I have a distribution group called adrmssuperuser with email ******@domain.com

Subsequently, I added this group as the super user group in the Active Directory Rights Management Services console.

In that group, I added the FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 user. This user is enabled.

Additionally, I have tried the steps listed here, which involves turning off InternalLicensingEnabled, deleting directories C:\ProgramData\Microsoft\DRM\Server, rebooting and then reenabling IRM. This did not work for me.

My Assumptions

Since the other checks for the exchange server has passed, there may not be an issue with the permissions for the files in the ADRMS server, and that ADRMS and Exchange Server are able to communicate.

Could there be an issue with the FederatedEmail permissions? But from what I have read, it just needs to be in the Super Users group for ADRMS.

Has anyone faced a similar issue even after doing the resolution steps? Is there anything I could be missing in my configuration?

Accepted answer

1 additional answer

Your answer

Answer 1

Great to know that the issue has already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer : )

--------------

Issue Symptom:

Test-IRMConfiguration: Failed to acquire a use license.

Resolution:

Troubleshooting:

Running Test-IRMConfiguration in EMS fails - Exchange | Microsoft Learn as you have shared
Setting AD RMS super user as security group
Recreating federated email user
Adding the rms service account to the domain admins group [Reference] and adding exchange servers group to ADRMS Super User [Reference]

And finally, as it mentioned in this documentation:

If a super user's group is already configured on an AD RMS cluster, any modifications to the distribution group membership can take up to 24 hours to be refreshed by the AD RMS cluster. This is a result of caching the group membership on the cluster.

The problem disappeared just after waiting one day.

Answer 2

Mike Hu-MSFT 4,145 Microsoft External Staff

Hi,

This problem can occur if the FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 had been deleted and recreated. After reconfiguring the AD-RMS Super Users Group, the above error will still occur.

To fix this error, you can follow the steps below:

Turn off IRM. Run the command:

  Set-IRMConfiguration -InternalLicensingEnabled $false

Backup and delete the directories in .C:\ProgramData\Microsoft\DRM\Server(Note: The Server folder is a hidden system folder and you will need to unselect the Hide protected operating system files to view the folder.)
Reboot.

Enable IRM. Run the command:

  Set-IRMConfiguration -InternalLicensingEnabled $true

Test IRM.

  Test-IRMConfiguration -sender [******@domain.com]

More details you can refer to: Running Test-IRMConfiguration in EMS fails - Exchange | Microsoft Learn

Hope this helps. Please feel free to contact me for any updates.

HCN 20 Reputation points

2024-06-18T08:13:05.5766667+00:00
Thank you for your response Mike.

I have tried this before, but am still facing the same error.

I have some clarification questions:

Is the ADRMS super user group a security or distribution group? https://www.microsoft.com/en-us/download/details.aspx?id=30139 mentions the super group as a security and distribution group in separate sections (page 27, page 53). Will this affect the configuration at all?

Should I delete and recreate the FederatedEmail user again?

I have also tried:

Adding the rms service account to the domain admins group [Reference]

Adding exchange servers group to ADRMS Super User [Reference]
Mike Hu-MSFT 4,145 Reputation points Microsoft External Staff

2024-06-19T08:04:02.9833333+00:00
For ADRMS, it should definitely be a security group as this grants the necessary permissions for ADRMS to function properly.

And I want to know that have you restarted the Exchange server after finishing above steps?If not ,try to restart Exchange Server.

If the FederatedEmail user account is corrupted or misconfigured, it might be worth deleting and recreating it. Ensure that after recreating, you properly configure it with the necessary permissions and roles.

General Tips:

Verify DNS settings and ensure there are no misconfigurations.

Ensure that your service connection point (SCP) for RMS is correctly configured

Ensure that your ADRMS server certificates are not expired and are correctly configured.

Double-check that service accounts used for ADRMS and Exchange have correct and non-expired credentials.

Check event logs for additional error messages and details that could point to specific issues.
HCN 20 Reputation points

2024-06-20T01:55:41.4366667+00:00
Thank you for Mike for your reply! You were right that super user should be a security group, I believe that helped.

Something funny is that when I set ADRMS security group as the super user on Monday, the Test-IRMConfiguration command failed. I left it as that for the night and today the test passed! I did not make any other changes between that time.

I feel this might have something to do with this documentation:

If a super users group is already configured on an AD RMS cluster, any modifications to the distribution group membership can take up to 24 hours to be refreshed by the AD RMS cluster. This is a result of caching the group membership on the cluster.

I guess the troubleshooting tasks can summarised be as follows:

Running Test-IRMConfiguration in EMS fails - Exchange | Microsoft Learn as you have shared

Setting AD RMS super user as security group

Recreating federated email user

Adding the rms service account to the domain admins group [Reference] and adding exchange servers group to ADRMS Super User [Reference]

Thank you once again

Share via

How to fix Test-IRMConfiguration: Failed to acquire a use license.

1 additional answer

Your answer