AD RMS: Test-IRMConfiguration Command Fails with UnsupportedCryptographicSetException
Situation
Configuring Exchange 2010 IRM integration with AD RMS succeeds. Testing the configuration (with the Test-IRMConfiguration command) does not.
Test-IRMConfiguration -Sender user1@contoso.com fails acquiring rights account certificate (RAC) and client licensor certificate (CLC).
Error messages
Exchange console
Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
- FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC).
This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipeline" at http://go.microsoft.com/fwlink/?LinkId=186951.
----------------------------------------
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from
https://adrms.contoso.com/_wmcs/certification/servercertification.asmx. ---> System.Web.Services.
Protocols.SoapException: System.Web.Services.Protocols.SoapException: Exception of type 'System.Web.Services.
Protocols.SoapException' was thrown. ---> Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException: Exception of type 'Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException' was thrown.
--- End of inner exception stack trace ---
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)
at Microsoft.DigitalRightsManagement.Certification.ServerCertificationWebService.Certify(CertifyParams requestParams)
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.Net.WsAsyncProxyWrapper.EndInvoke(IAsyncResult result)
at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)
at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)
--- End of inner exception stack trace ---
at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
**
AD RMS server certification pipeline logging
Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException
Message: The given certificate does not contain an acceptable combination of asymmetric key and signature hash algorithms.
StackTrace:
at Microsoft.DigitalRightsManagement.Certification.Pipeline._VerifyMachineCertificateChain(String[] machineCertificateChain, CAType caType)
at Microsoft.DigitalRightsManagement.Certification.Pipeline.Certify(CAType caType, CertifyParams[] requestParameters, HttpRequest request, IIdentity userIdentity)
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.PipelineCertify(CAType caType, String userName, String[] machineCertificateChain, Boolean persistent)
at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)
CAUSE
AD RMS Cryptographic Mode 2 was enabled but the Exchange server OS was not patched.
RESOLUTION
Install the appropriate patch on the server OS.
MORE INFORMATION: Cryptographic Mode 2 changes the signature support from SHA-1 to SHA-256 and the signature and encryption support from RSA 1024 to RSA 2048. AD RMS server must be 2008 R2 SP1 and clients must be Windows Vista SP2 or higher. Both server and client require an additional software update to support Cryptographic Mode 2. Exchange 2010 requires at least SP3 to support Cryptographic Mode 2.
See also
- KB 2627272: RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008
- KB 2627273: RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2
- TechNet Blog: AD RMS Cryptographic Mode 2 and Exchange 2010 Information Rights Management
- TechNet: AD RMS Cryptographic Modes
- AD RMS Portal