I recently had this problem on a customer site, documents could be protected using RMS with manual permissions no problems, bootstrapping process completed and all was fine. However after creating Administrative Templates and attempted to apply protection using those templates it failed with the useful “An unexpected error has occurred..” message. Hmmm head scratcher…
So troubleshooting I made sure i had applied permissions correctly on the template, not that i should receive an error message like the one i was getting but good place to start. Checked access to the template file share, fine. Checked AD RMS server was exporting the templates correctly, fine but I did notice something else in checking this ..
I opened one of the templates in an XML editor and noticed that the licensing cluster URL contained a :443, then checking in the AD RMS console this was the case in the licensing URL there too. The trouble with this is that the CLC certificates are attempted to be matched with the RAC’s using the RMS URL, if they are different (certification has no :443 and licensing has :443) you hit an error.
To resolve this issue follow these steps (Note: While following these steps you will remove the SCP temporarily, users will not be able to protect or consume new content during this period so be careful!):
1.) Open the ADRMS console and Right Click on the Server name, and go to Properties.
2.) Go to the ‘SCP’ tab and remove the SCP.
3.) Go to the Cluster URLs tab, and check the box for ‘Extranet URLs’ (If you have Extranet URL’s configured then ensure the :443 is not present and move on)
4.) Enter anything into both boxes and click Apply.
5.) Uncheck the ‘Extranet URLs’ box, and hit Apply, then OK.
6.) Close the ADRMS Console and re-open it.
7.) Right Click on the server name>Properties>SCP Tab, and register the SCP.
8.)Check your RMS settings now and make sure that no :443 exists in any of the cluster URLs.
9.) Go to Regedit and create this key on each cluster in the server
11.) Go to an Administrative command prompt and run IISRESET on each server in the cluster
12.) Go to client PC and delete the %localappdata%MicrosoftDRM folder.
13.) In the ADRMS console right click the Administrative Template and select “Archive this Rights Policy Template”
14.) Select Manage Archived Rights Policy Templates and Right click the template and select Copy, give it a different name
15.)Right click the copy and select “Distribute this Rights Policy Template”
Once these steps are completed you should be able to go back into your application and apply protection using the Administrative Template! Yay!