[Solved]Warning: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC)

During configuration of RMS (Rights Management Services), I have found lot of people commonly getting this issue… and we struggle a lot to get it solve. So, over on this blog sharing my knowledge how did I resolve this issue. During integration of Exchange server with RMS we need to run few test command before setting it up permanently. While doing so, we might face this issue.

Issue:

On the issue, you can find that you have not given permission to ‘Exchange Servers Group’ to ‘Read’ and ‘Read & Execute’ rights to the ‘ServerCertification.asmx’ and ‘Publish.asmx’ document on your AD RMS Serve. Due to which Exchange server is not able to validate the configuration. But after doing these also you might face the same issue. So, you might go through several reboots to make sure all the configuration has been refresh. But only reboot will not solve your problem, there is missing puzzle.

Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) …

– WARNING: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate

(CLC). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal

Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure

that the Exchange Servers Group is granted “Read” and “Read & Execute” rights on the

ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see “Set Permissions

on the AD RMS Certification Pipeline” at http://go.microsoft.com/fwlink/?LinkId=186951.

—————————————-

Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC

from https://rms.pdhewaju.com.np/_wmcs/certification/servercertification.asmx. —> System.Net.WebException:

The request failed with HTTP status 401: Unauthorized.

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult) at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)

at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)

— End of inner exception stack trace —

at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndC LC(IAsyncResult asyncResult)

at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()

Resolution:

Once the SCP has been confirmed as registered, we need to configure permissions so that the Exchange 2010 server can integrate with the RMS server as, by default, it will not be able to do so. Specifically, we need to give two groups permissions to the RMS certification pipeline; these groups are named Exchange Servers and AD RMS Service Group with Read &Execute and Read. This is achieved by modifying the security permissions on the ServerCertification.asmx file that is stored on the RMS server.

By default, this file is found in the \inetpub\wwwroot\_wmcs\certification folder. When you have located this file, bring up its properties and click the Security tab. By default AD RMS Service Group is provided ‘Read’ and ‘Read & Execute’ permission on the parent folder… but sometime you might need it to provide on those specific folder.

Also, you need to provide same permission to the Publish.asmx folder in \inetpub\wwwroot\_wmcs\licensing location.

Once you do these action… run the cmdlet again. You will get this success… 🙂

Have a good solving issue… 😀