Event ID 126 — AD RMS Trust Policy Integrity

  • Article

Applies To: Windows Server 2008

Trust policies in Active Directory Rights Managemenet Services (AD RMS) allow users to share rights-protected content across Active Directory Domain Services (AD DS) forests that are either internal or external to the organization.

Event Details

Product: Windows Operating System
ID: 126
Source: Active Directory Rights Management Services
Version: 6.0
Symbolic Name: PublicPrivateKeyMismatchEvent
Message: The private key does not match the public key extracted from the corresponding trusted publishing domain server licensor certificate. Make sure that the Active Directory Rights Management Services (AD RMS) service account has access to the private key store. If the cluster key is centrally managed by AD RMS, ensure that the AD RMS configuration database is available on the network. If the cluster key is stored in a hardware-based cryptographic storage provider, verify that the cluster key has been imported into the AD RMS cluster. Re-import the trusted publishing domain.

Parameter Reference
Context: %1
RequestId: %2
%3
%4

Resolve

Import the trusted publishing domain from a file

Use the section named "Check that the AD RMS configuration database is available from the AD RMS server" by checking the network availability of the AD RMS configuration database server. If the configuration database is available on the network, you should try to import the trusted publishing domain file again by using the procedure in the section named "Inport the trusted publishing domain again". If you still cannot import the trusted publishing domain, use the procedure in the section named "Restore AD RMS configuration database from previous backup" to restore the configuration database to an earlier version.

Check that the AD RMS configuration database is available from the AD RMS server

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check that the AD RMS configuration database is available on the network:

  1. Type ipconfig /all at a command prompt on the AD RMS configuration database server. Make sure that the AD RMS server has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
  2. Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
  3. Type ping ip_address, where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
  4. Type ping dns_server, where dns_server is the IP address for the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the AD RMS configuration database server and the DNS servers.

Import the trusted publishing domain again

To perform this procedure, you must be a member of the local AD RMS Enterprise Administrators group, or you must have been delegated the appropriate authority.

To import the trusted publishing domain again:

  1. Log on to an AD RMS server in the cluster.
  2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
  3. Expand the AD RMS cluster, expand Trust Policies, and then click Trusted Publishing Domains.
  4. Click Import Trusted Publishing Domain.
  5. Click Browse, browse to the exported trusted publishing domain file, and then double-click the file.
  6. In the Password box, type the password that was used to export this trusted publishing domain.
  7. In the Display name box, type the display name to be used to identify this trusted publishing domain in the AD RMS cluster.
  8. Click Finish.

Restore AD RMS configuration database from previous backup

To perform this procedure, you must be a member of the local System Administrators database server role, or you must have been delegated the appropriate authority.

To restore AD RMS configuration database from previous backup:

  1. Log on to the AD RMS configuration database server.
  2. Click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  3. In the Server name box, type the name of the AD RMS configuration database server, and then click Connect.
  4. Right-click Databases, and then click Restore Database.
  5. In the To database box, select the AD RMS configuration database from the list.
  6. Click the From device option, and then click Browse.
  7. Click Add.
  8. In the Locate Backup File window, select the database backup file, and then click OK two times.
  9. Select the Restore check box, and then click OK.

Verify

To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.

Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.

To verify that the AD RMS trust policies are working correctly:

  1. Log on to an AD RMS-enabled client computer.
  2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
  3. In the new document type This is a test document.
  4. Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
  5. Select the Restrict permissions to this document check box.
  6. Type another AD RMS user's e-mail address in the Read box, and then click OK.
  7. Send this file to the person who was granted access in step 6.
  8. Have this person open the document and verify that he or she cannot print it.

AD RMS Trust Policy Integrity

Active Directory Rights Management Services