Event ID 182 — AD RMS Cluster Configuration

Updated: December 3, 2008

Applies To: Windows Server 2008 R2


Servers in an Active Directory Rights Management Services (AD RMS) cluster are configured to both send and receive requests from AD RMS clients, other servers in the AD RMS cluster, and the AD RMS databases.

Event Details

Product: Windows Operating System
ID: 182
Source: Active Directory Rights Management Services
Version: 6.1
Symbolic Name: CryptographyErrorEvent
Message: The Data Protection API layer on this computer is not working correctly.

Parameter Reference
Context: %1
RequestId: %2


Fix data protection API problems

The data protection API (DPAPI) is used to protect the private key of an AD RMS machine certificate. If the DPAPI layer on the computer is not working correctly, AD RMS users cannot consume or publish rights-protected content.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To resolve this error:

  • Mandatory profiles are not supported with DPAPI. As a result, the private key of the AD RMS machine certificate cannot be retrieved. Reconfigure your client computers to use standard profiles.
  • When using roaming profiles on your client computers, the domain user must be logged on to only one computer in the domain at a time. If a user is logged on to multiple computers at the same time, DPAPI will probably not be able to retrieve the private key of the AD RMS machine certificate. You should log off all computer in the domain but one.
  • If neither of the above scenarios are valid, you should reinstall the operating system on the computer that is experiencing issues with DPAPI.

For more infomation about troubleshooting DPAPI, see http://go.microsoft.com/fwlink/?LinkId=83540.

For more information about managing user profiles on computers running Microsoft Windows Vista, see http://go.microsoft.com/fwlink/?LinkId=73435.


To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.

Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.

To verify that AD RMS is configured correctly, do the following:

  1. Log on to an AD RMS-enabled client computer.
  2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
  3. In the new document type This is a test document.
  4. Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
  5. Select the Restrict permissions to this document check box.
  6. Type another AD RMS user's e-mail address in the Read box, and then click OK.
  7. Send this file to the person who was granted access in step 6.
  8. Have this person open the document and verify that he or she cannot do anything else with the document such as print it.

Related Management Information

AD RMS Cluster Configuration

Active Directory Rights Management Services

Community Additions