Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. AD RMS cannot generate RACs for users after AD RMS is upgraded to Cryptographic Mode 2

AD RMS cannot generate RACs for users after AD RMS is upgraded to Cryptographic Mode 2

View products that this article applies to.

Symptoms

After you upgrade Active Directory Rights Management Services (AD RMS) from Cryptographic Mode 1 to Cryptographic Mode 2, AD RMS stops issuing Rights Account Certificates (RACs) to users. Additionally, when a user requests an RAC, a log entry that resembles the following is generated if you enable the debug log on the AD RMS server:
+[Tier1Diagnostic] http://your.adrms.cluster/_wmcs/certification/Certification.asmx
CallStack:Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify  
System.InvalidCastException  
        Message: Unable to cast object of type 'System.DBNull' to type 'System.String'.  
        StackTrace:    at  Microsoft.DigitalRightsManagement.Certification.CertificationGen._InitializeUserKeys(SqlCommand userDataCmd)  
   at  Microsoft.DigitalRightsManagement.Certification.CertificationGen._UpdateUser(Int32 userDatabaseId, String userName, Identification identification, Boolean persistent, SqlCommand userDataCmd, RsaKeyBlob& userKeys, PersonaCertificate& certificate)  
   at  Microsoft.DigitalRightsManagement.Certification.CertificationGen._GetUserKeysAndCertificate(String userName, Identification identification, Byte[] machinePublicKeyHash, Boolean persistent, RsaKeyBlob& userKeys, PersonaCertificate& certificate)  
   at  Microsoft.DigitalRightsManagement.Certification.CertificationGen.Certify(String userName, Identification identification, String machineCertificate, Boolean persistent)  
   at  Microsoft.DigitalRightsManagement.Certification.Pipeline.Certify(CAType caType, CertifyParams[] requestParameters, HttpRequest request, IIdentity userIdentity)  
   at  Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.PipelineCertify(CAType caType, String userName, String[] machineCertificateChain, Boolean persistent)  
   at  Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)

This issue occurs in Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 Service Pack 1 (SP1) with update 2627272.

↑ Back to the top

Cause

This issue occurs because all the data in the UD_Users table and related tables are not deleted during the Cryptographic Mode 2 upgrade. Therefore, the UD_Users table holds Cryptographic Mode 1 user keys, and AD RMS cannot generate Cryptographic Mode 2 RACs.

↑ Back to the top

Workaround

To work around this issue, remove all the data in the UD_Users table and related tables before you upgrade to Cryptographic Mode 2.

Note If you encounter the problem that is described in the "Symptoms" section, you must restore the AD RMS cluster to Cryptographic Mode1 by using your backup file.

To remove the data, run the following SQL statements against the DRMS_Config_your_adrms_cluster_address_port database to empty the UD_Users table and related tables:
    DELETE FROM UD_UserMachine
    DELETE FROM UD_Machines
    DELETE FROM UD_WindowsAuthIdentities
    DELETE FROM UD_FederationAuthIdentities
    DELETE FROM UD_Users
Then, perform the Cryptographic Mode 2 upgrade.

Note Enabling Cryptographic Mode 2 on clients and servers is a one-way upgrade. There is no supported method for reverting to the previous cryptographic mode once the higher level is enabled.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about AD RMS cryptographic modes, go to the following Microsoft website:
General information about AD RMS cryptographic modes

↑ Back to the top

Keywords: kb, kbsurveynew, kbexpertiseadvanced, kbprb, kbtshoot

↑ Back to the top

Article Info
Article ID : 3000955
Revision : 1
Created on : 1/7/2017
Published on : 9/29/2014
Exists online : False
Views : 490