Event ID 5056 (Windows SharePoint Services health model)

Applies To: Windows SharePoint Services 3.0

 

Information Rights Management (IRM) allows content creators to assign rights to documents that they send to others. These documents are referred to as “rights-protected” documents. The data in rights-protected documents is encrypted so that it can be viewed only by authorized users. Furthermore, a rights-protected document stores an issuance license that specifies which rights users have to the content. For example, an author can specify the following rights for a document:

  • Document is read-only.

  • Text in the document cannot be copied.

  • Document cannot be printed.

IRM relies on Windows Rights Management Services (RMS) to create the issuance license, and perform the encryption and decryption of rights-protected documents. When IRM is enabled on a list or library, Windows SharePoint Services 3.0 automatically adds the permissions that are assigned to an item to the issuance license of that item when that item is downloaded. This means that permissions that are set on documents in lists and libraries are enforced by IRM even after a document is downloaded from the site.

For more information about IRM and Windows SharePoint Services 3.0, see Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide (https://go.microsoft.com/fwlink/?LinkId=93136).

Event Details

Product:

Windows SharePoint Services

ID:

5056

Source:

Windows SharePoint Services 3

Version:

12.0

Symbolic Name:

ULSEvtTag_5056

Message:

Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.

Possibly an HTTP 401 error (an authentication error) was returned by an Internet request.

Additional Data

Error value: %1

Server URL: %2

Resolve

Configure RMS server to accept requests

An RMS server refused access to a computer running Windows SharePoint Services 3.0. This alert indicates that a front-end Web server contacted the RMS server but the RMS server denied access to the Web server. Generally, this error occurs when an administrator is first enabling IRM for the Web farm in Central Administration. If this is the case, IRM cannot be enabled in Central Administration, and list administrators will not be able to enable IRM on a document library or list until the error is resolved. If this error occurs after IRM is enabled, downloads from a rights-protected list or library will fail until the error is resolved.

To resolve this issue, the RMS server must be configured to accept requests from the server running Windows SharePoint Services 3.0 that caused this error. The RMS server settings that are required differ depending on whether:

  • You want the RMS server to accept requests from all computers on the domain, and Windows SharePoint Services 3.0 is installed as a single server on the same domain as your RMS server.

  • You do not want the RMS server to accept requests from all servers on the domain, and Windows SharePoint Services 3.0 is installed as a single server (recommended).

  • Windows SharePoint Services 3.0 is installed in a Web farm configuration.

    Note

    It is recommended that you configure the RMS server to inherit permissions from certification folder on ServerCertification.asmx and then add the computer account of the Windows SharePoint Services 3.0 server (for single server install) instead of opening this up to all Domain Computers.

SharePoint administrators can discover the correct FQDN, NetBIOS name or service account name to configure on the RMS server by attempting to authenticate against the RMS server:

To discover the correct service account name

  1. In Central Administration, on the left navigation pane, click Operations.

  2. On the Operations page, in the Security Configuration section, click Information Rights Management.

  3. On the Information Rights Management page, click either Use the default RMS server specified in Active directory or Use this RMS server, and then type the URL for the RMS server you want to use.

  4. Click OK.

Use the procedure that is appropriate for your situation.

You must be an administrator on the RMS server to make these changes.

To configure the RMS server to accept requests from all servers in the domain

  1. On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. Add the computer account of the Windows SharePoint Services 3.0 Server to the access control list (ACL) of the ServerCertification.asmx file and assign it the Read & Execute permission.

For a single server installation, the RMS server's Server Certification service must be configured by using either the FQDN or the NetBIOS name of the stand-alone server running Windows SharePoint Services 3.0.

Note

You must know the FQDN or NetBIOS name of the server before performing the following steps. If you do not know this name, see the To discover the correct service account name procedure, to determine the name before continuing.

To configure the RMS server to accept requests from Windows SharePoint Services installed as a single server

  1. On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. Add the FQDN or NetBIOS name of the server that cannot access the RMS server to the ACL of the ServerCertification.asmx file, and assign it the Read & Execute permission.

For a Web farm installation of Windows SharePoint Services 3.0, the Server Certification service running on the RMS server must be configured with the service account used by each Web application that is IRM-enabled.

Note

You must know the exact service account name or names before performing the following steps. If you do not know the exact service account names that you need, see the "To discover the correct service account name" procedure before continuing.

To configure the RMS server to accept requests from Windows SharePoint Services 3.0 installed in a farm

  1. On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. Add each service account assigned to an application pool for the Web application on the server that cannot access the RMS server to the ACL of the ServerCertification.asmx file, and assign it the Read & Execute permission.

Note

If the server farm uses multiple application pools, each application pool’s service account must be added to the RMS server ServerCertification.asmx file.

If the front-end Web server has not been configured on the RMS server, an error message appears that states that the computer running Windows SharePoint Services 3.0 could not authenticate against the RMS server. In this error message, the FQDN or NetBIOS name of the server or the service account that you must register with the RMS server will appear.

Note

if you are using multiple application pools that use different service accounts, only the service account for the SharePoint Central Administration site will appear.

Verify

To verify that this problem is resolved, users should download and then re-upload a file from a rights-managed document library. If successful, then the problem is resolved.

To activate Information Rights Management on a document library, navigate to that library’s Document Library Settings page. Click Information Rights Management and select Restrict permission to documents in this library on download.

You must be a site administrator to perform this task.

Information Rights Management (Health model)

Windows SharePoint Services 3.0 health model