Event ID 5073 (Windows SharePoint Services health model)

Applies To: Windows SharePoint Services 3.0

 

Information Rights Management (IRM) allows content creators to assign rights to documents that they send to others. These documents are referred to as “rights-protected” documents. The data in rights-protected documents is encrypted so that it can be viewed only by authorized users. Furthermore, a rights-protected document stores an issuance license that specifies which rights users have to the content. For example, an author can specify the following rights for a document:

  • Document is read-only.

  • Text in the document cannot be copied.

  • Document cannot be printed.

IRM relies on Windows Rights Management Services (RMS) to create the issuance license, and perform the encryption and decryption of rights-protected documents. When IRM is enabled on a list or library, Windows SharePoint Services 3.0 automatically adds the permissions that are assigned to an item to the issuance license of that item when that item is downloaded. This means that permissions that are set on documents in lists and libraries are enforced by IRM even after a document is downloaded from the site.

For more information about IRM and Windows SharePoint Services 3.0, see Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide (https://go.microsoft.com/fwlink/?LinkId=93136).

Event Details

Product:

Windows SharePoint Services

ID:

5073

Source:

Windows SharePoint Services 3

Version:

12.0

Symbolic Name:

ULSEvtTag_5073

Message:

Information Rights Management (IRM): There was a problem while trying to acquire an End User License (EUL) for this server. It could not be fetched from the local store or acquired from the Rights Management Services (RMS) server.

Current file: %1

GUID of current list: %2

Additional Data

Error value: %3

Diagnose

There has been a problem with Information Rights Management (IRM). This error might be caused by one or more of the following conditions. Note: Investigate these issues in the order given:

  • A Windows Rights Management Services (RMS) server refused access to a computer running Windows SharePoint Services 3.0.

  • The RMS server is not available.

  • The locally-stored licenses have become corrupt.

  • One or more IRM manifest is not valid.

You must be a member of the SharePoint Administrators group to perform the following task:

To determine which server is specified in Central Administration

  1. In Central Administration, on the left navigation pane, click Operations.

  2. On the Operations page, in the Security Configuration section, click Information Rights Management.

  3. On the Information Rights Management page, if the Use this RMS server option is selected, the server name appears in the box.

Note

If the Use the default RMS server specified in Active Directory option is selected, contact your domain administrator and ask them for the RMS service connection point. For Active Directory Rights Management Services, this can be obtained in the Active Directory Rights Management Services MMC console. For previous versions of RMS, you can get it by using the GetRMSScp.exe from the RMS Administration Toolkit.

To determine if the RMS server is available

  1. At the command-prompt on a computer that should have access to the RMS server and that is not the same computer that received this event, type the following and press ENTER:

    ping<RMS Server DNS name>

    The ping should reply in a timely manner. If it does not, the RMS server is not available on the network.

  2. At the command-prompt on the Windows SharePoint Services 3.0 computer that received this event, type the following and press ENTER:

    ping<RMS Server DNS name>

    The ping should reply in a timely manner. If it does not, the network between the Windows SharePoint Services 3.0 computer and the RMS sever might be down.

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly.

Cause Resolution

Windows SharePoint Services 3.0 could not establish a connection with an RMS server

Configure RMS server to accept requests

Windows SharePoint Services 3.0 could not establish a connection with an RMS server

Check RMS server status and settings

The RMS client on a computer running Windows SharePoint Services 3.0 registered an error

Delete stored licenses

One or more IRM manifest is not valid

Reload IRM manifests

Configure RMS server to accept requests

An RMS server refused access to a computer running Windows SharePoint Services 3.0. This alert indicates that a front-end Web server contacted the RMS server but the RMS server denied access to the Web server. Generally, this error occurs when an administrator is first enabling IRM for the Web farm in Central Administration. If this is the case, IRM cannot be enabled in Central Administration, and list administrators will not be able to enable IRM on a document library or list until the error is resolved. If this error occurs after IRM is enabled, downloads from a rights-protected list or library will fail until the error is resolved.

To resolve this issue, the RMS server must be configured to accept requests from the server running Windows SharePoint Services 3.0 that caused this error. The RMS server settings that are required differ depending on whether:

  • You want the RMS server to accept requests from all computers on the domain, and Windows SharePoint Services 3.0 is installed as a single server on the same domain as your RMS server.

  • You do not want the RMS server to accept requests from all servers on the domain, and Windows SharePoint Services 3.0 is installed as a single server (recommended).

  • Windows SharePoint Services 3.0 is installed in a Web farm configuration.

    Note

    It is recommended that you configure the RMS server to inherit permissions from certification folder on ServerCertification.asmx and then add the computer account of the Windows SharePoint Services 3.0 server (for single server install) instead of opening this up to all Domain Computers.

SharePoint administrators can discover the correct FQDN, NetBIOS name or service account name to configure on the RMS server by attempting to authenticate against the RMS server:

To discover the correct service account name

  1. In Central Administration, on the left navigation pane, click Operations.

  2. On the Operations page, in the Security Configuration section, click Information Rights Management.

  3. On the Information Rights Management page, click either Use the default RMS server specified in Active directory or Use this RMS server, and then type the URL for the RMS server you want to use.

  4. Click OK.

Use the procedure that is appropriate for your situation.

You must be an administrator on the RMS server to make these changes.

To configure the RMS server to accept requests from all servers in the domain

  1. On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. Add the computer account of the Windows SharePoint Services 3.0 Server to the access control list (ACL) of the ServerCertification.asmx file and assign it the Read & Execute permission.

For a single server installation, the RMS server's Server Certification service must be configured by using either the FQDN or the NetBIOS name of the stand-alone server running Windows SharePoint Services 3.0.

Note

You must know the FQDN or NetBIOS name of the server before performing the following steps. If you do not know this name, see the To discover the correct service account name procedure, to determine the name before continuing.

To configure the RMS server to accept requests from Windows SharePoint Services installed as a single server

  1. On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. Add the FQDN or NetBIOS name of the server that cannot access the RMS server to the ACL of the ServerCertification.asmx file, and assign it the Read & Execute permission.

For a Web farm installation of Windows SharePoint Services 3.0, the Server Certification service running on the RMS server must be configured with the service account used by each Web application that is IRM-enabled.

Note

You must know the exact service account name or names before performing the following steps. If you do not know the exact service account names that you need, see the "To discover the correct service account name" procedure before continuing.

To configure the RMS server to accept requests from Windows SharePoint Services 3.0 installed in a farm

  1. On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. Add each service account assigned to an application pool for the Web application on the server that cannot access the RMS server to the ACL of the ServerCertification.asmx file, and assign it the Read & Execute permission.

Note

If the server farm uses multiple application pools, each application pool’s service account must be added to the RMS server ServerCertification.asmx file.

If the front-end Web server has not been configured on the RMS server, an error message appears that states that the computer running Windows SharePoint Services 3.0 could not authenticate against the RMS server. In this error message, the FQDN or NetBIOS name of the server or the service account that you must register with the RMS server will appear.

Note

if you are using multiple application pools that use different service accounts, only the service account for the SharePoint Central Administration site will appear.

Check RMS server status and settings

This problem might be caused by a problem with the availability or health of the RMS server. You can check the health of the RMS server by using the procedures below:

You must be a member of the SharePoint Administrators group to perform the following task.

To check IRM settings in Central Administration

  1. In Central Administration, on the top navigation bar, click Operations.

  2. On the Operations page, in the Security Configuration section, click Information Rights Management.

  3. On the Information Rights Management page, perform one of the following steps:

    • If your organization specifies the RMS server in Active Directory, verify that Use the default RMS server specified in Active Directory is selected.

    • If you are manually specifying the location of the RMS server, verify that Use this RMS server is selected and that the URL specified for the RMS server that you want to use is correct.

To check the health and availability of the RMS server

  • Browse to http:// (or https://)<RMS server>/_wmcs/certification/servercertification.asmx where <RMS Server> is either the FQDN or NetBIOS name of the RMS server.

    If the page is not successfully loaded, the RMS server is not operational and the problem is not specific to the site.

    If the RMS server is down for maintenance or otherwise inoperative, normal operations might resume after the server is back online. In this case, it is not necessary to make any changes in Windows SharePoint Services 3.0.

Delete stored licenses

The stored licenses might be corrupt. You must delete the current licenses. They will be automatically re-created. You must be a member of the SharePoint Administrators group to stop and start the Windows SharePoint Services 3.0 Web application. You must have write access to the license directories to delete these directories.

Note

Restarting IIS will render all the Web content on that server unavailable to users while it is starting up. You might want to restart IIS during a regularly-scheduled service time.

To perform steps 1 and 4, you must be a member of the Administrators group on the local computer. To perform step 3, you must have Write permissions to the directory.

To delete stored licenses

  1. Stop the Windows SharePoint Services 3.0 Web application by running the following command at the command prompt.

    iisreset /stop

  2. On the Windows SharePoint Services 3.0 front-end Web server, navigate to the %allusersprofile%\Application Data\Microsoft\DRM\Server\ folder

  3. Delete all folders named after the Windows SharePoint Services 3.0 application pool identity account. The application pool identity is the user account that Windows SharePoint Services 3.0 is running under.

  4. Restart the Windows SharePoint Services 3.0 process by running the following command at the command prompt.

    iisreset /start

Reload IRM manifests

To reload the IRM manifests provided with Windows SharePoint Services 3.0, you must reinstall Windows SharePoint Service 3.0. If the problem persists after reinstallation, check the server for malicious software.

Important

Before reinstalling Windows SharePoint Services 3.0, it is highly recommended that you back up all data on the affected server.

To perform this procedure, you must be a member of the Administrators group on the local computer.

Verify

To verify that this problem is resolved, users should download and then re-upload a file from a rights-managed document library. If successful, then the problem is resolved.

To activate Information Rights Management on a document library, navigate to that library’s Document Library Settings page. Click Information Rights Management and select Restrict permission to documents in this library on download.

You must be a site administrator to perform this task.

Information Rights Management (Health model)

Windows SharePoint Services 3.0 health model