Troubleshoot Azure RMS Connector – Integrate SharePoint 2013 with Azure RMS
In order to allow SharePoint contents to be protected by Information Rights Management features, SharePoint requires to connect to a Rights Management System (RMS). This can either be an on-premises RMS or an Azure RMS. If you’re using Azure RMS with your on-premises SharePoint farm, you need to set up some Azure RMS Connector servers.
There are several articles out there which describe the implementation of Azure RMS Connector servers quite well:
Hence, I don’t repeat the general installation steps again but directly focus on how to troubleshoot errors you might encounter during your Integration.
When I was setting up my customer’s SharePoint Azure RMS Integration, I encountered the following error several times. Each time I fixed the cause, a new problem occurred which led to exactly the same message in the CA:
The very first thing to do after receiving this error is to have a look at ULS to gather more detailed Information. You may probably find one of the following entries:
The first message (0x80070032) may have several different causes:
The second one (0x8004f015) occurred, when I tried to change my setup to utilize the production O365 tenant instead of the test tenant. The error was caused by old registry settings still pointing to the O365 test tenant. To get rid of it, follow these steps on each WFE/CA server in your farm:
Here, the best source of hints is the installation log of the RMS Connector Administration Tool installation wizard. You can find this log file at C:\users\<installing user>\AppData\Local\Temp. The following error might occur while running the RMS Connector Administration installation wizard:
WsTrust Request failed with error : <S:Code><S:Value>S:Sender</S:Value><S:Subcode><S:Value>wst:InvalidRequest</S:Value></S:Subcode></S:Code><S:Reason><S:Text xml:lang=“en-US“>Invalid Request</S:Text></S:Reason><S:Detail><psf:error><psf:value>0x80048820</psf:value><psf:internalerror><psf:code>0x80045c01</psf:code><psf:text>Invalid STS request.
The second one I ruled out at first, because I could login to https://login.microsoftonline.com successfully. But when the installation wizard tries to login, the password will be XML encoded for transport. Therefore, some characters would need to be escaped but aren’t automatically. Here is a list of characters you should therefore avoid in your password: https://support.microsoft.com/en-us/kb/316063
A user must be authenticated against Azure RMS whenever accessing a protected document in SharePoint. In order to do this, SharePoint passes the user’s mail address from the SharePoint user profile store on to Azure RMS as the user’s identity. This implies, that the Azure RMS user represented by this mail, must be existing in Azure AD (including the same mail property).
Please be also aware that clients also must be configured to use RMS. If not, you will receive errors like these:
In order to download and open protected documents successfully the client must be able to connect to O365/Azure and the following registry entries should be present (type DWORD with value „1“):