Event ID 5128 (Windows SharePoint Services health model)
Applies To: Windows SharePoint Services 3.0
Information Rights Management (IRM) allows content creators to assign rights to documents that they send to others. These documents are referred to as “rights-protected” documents. The data in rights-protected documents is encrypted so that it can be viewed only by authorized users. Furthermore, a rights-protected document stores an issuance license that specifies which rights users have to the content. For example, an author can specify the following rights for a document:
Document is read-only.
Text in the document cannot be copied.
Document cannot be printed.
IRM relies on Windows Rights Management Services (RMS) to create the issuance license, and perform the encryption and decryption of rights-protected documents. When IRM is enabled on a list or library, Windows SharePoint Services 3.0 automatically adds the permissions that are assigned to an item to the issuance license of that item when that item is downloaded. This means that permissions that are set on documents in lists and libraries are enforced by IRM even after a document is downloaded from the site.
For more information about IRM and Windows SharePoint Services 3.0, see Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide (https://go.microsoft.com/fwlink/?LinkId=93136).
Event Details
Product: |
Windows SharePoint Services |
ID: |
5128 |
Source: |
Windows SharePoint Services 3 |
Version: |
12.0 |
Symbolic Name: |
ULSEvtTag_5128 |
Message: |
Information Rights Management (IRM): There was a problem while initializing a client session for the user %1. User: %2 The default assumption of a publishing user was used for this initialization. The actual publishing user will be fetched and this initialization will be tried again. Additional Data Error value: %3 |
Diagnose
There has been a problem with Information Rights Management (IRM). This error might be caused by one or more of the following conditions. Note: Investigate these issues in the order given:
A Windows Rights Management Services (RMS) server refused access to a computer running Windows SharePoint Services 3.0.
The RMS server is not available.
The locally-stored licenses have become corrupt.
One or more IRM manifest is not valid.
You must be a member of the SharePoint Administrators group to perform the following task:
To determine which server is specified in Central Administration
In Central Administration, on the left navigation pane, click Operations.
On the Operations page, in the Security Configuration section, click Information Rights Management.
On the Information Rights Management page, if the Use this RMS server option is selected, the server name appears in the box.
Note
If the Use the default RMS server specified in Active Directory option is selected, contact your domain administrator and ask them for the RMS service connection point. For Active Directory Rights Management Services, this can be obtained in the Active Directory Rights Management Services MMC console. For previous versions of RMS, you can get it by using the GetRMSScp.exe from the RMS Administration Toolkit.
To determine if the RMS server is available
At the command-prompt on a computer that should have access to the RMS server and that is not the same computer that received this event, type the following and press ENTER:
ping<RMS Server DNS name>
The ping should reply in a timely manner. If it does not, the RMS server is not available on the network.
At the command-prompt on the Windows SharePoint Services 3.0 computer that received this event, type the following and press ENTER:
ping<RMS Server DNS name>
The ping should reply in a timely manner. If it does not, the network between the Windows SharePoint Services 3.0 computer and the RMS sever might be down.
Resolve
To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly.
Cause | Resolution |
---|---|
Windows SharePoint Services 3.0 could not establish a connection with an RMS server |
Configure RMS server to accept requests |
Windows SharePoint Services 3.0 could not establish a connection with an RMS server |
Check RMS server status and settings |
The RMS client on a computer running Windows SharePoint Services 3.0 registered an error |
Delete stored licenses |
One or more IRM manifest is not valid |
Reload IRM manifests |
Configure RMS server to accept requests
An RMS server refused access to a computer running Windows SharePoint Services 3.0. This alert indicates that a front-end Web server contacted the RMS server but the RMS server denied access to the Web server. Generally, this error occurs when an administrator is first enabling IRM for the Web farm in Central Administration. If this is the case, IRM cannot be enabled in Central Administration, and list administrators will not be able to enable IRM on a document library or list until the error is resolved. If this error occurs after IRM is enabled, downloads from a rights-protected list or library will fail until the error is resolved.
To resolve this issue, the RMS server must be configured to accept requests from the server running Windows SharePoint Services 3.0 that caused this error. The RMS server settings that are required differ depending on whether:
You want the RMS server to accept requests from all computers on the domain, and Windows SharePoint Services 3.0 is installed as a single server on the same domain as your RMS server.
You do not want the RMS server to accept requests from all servers on the domain, and Windows SharePoint Services 3.0 is installed as a single server (recommended).
Windows SharePoint Services 3.0 is installed in a Web farm configuration.
Note
It is recommended that you configure the RMS server to inherit permissions from certification folder on ServerCertification.asmx and then add the computer account of the Windows SharePoint Services 3.0 server (for single server install) instead of opening this up to all Domain Computers.
SharePoint administrators can discover the correct FQDN, NetBIOS name or service account name to configure on the RMS server by attempting to authenticate against the RMS server:
To discover the correct service account name
In Central Administration, on the left navigation pane, click Operations.
On the Operations page, in the Security Configuration section, click Information Rights Management.
On the Information Rights Management page, click either Use the default RMS server specified in Active directory or Use this RMS server, and then type the URL for the RMS server you want to use.
Click OK.
Use the procedure that is appropriate for your situation.
You must be an administrator on the RMS server to make these changes.
To configure the RMS server to accept requests from all servers in the domain
On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.
Add the computer account of the Windows SharePoint Services 3.0 Server to the access control list (ACL) of the ServerCertification.asmx file and assign it the Read & Execute permission.
For a single server installation, the RMS server's Server Certification service must be configured by using either the FQDN or the NetBIOS name of the stand-alone server running Windows SharePoint Services 3.0.
Note
You must know the FQDN or NetBIOS name of the server before performing the following steps. If you do not know this name, see the To discover the correct service account name procedure, to determine the name before continuing.
To configure the RMS server to accept requests from Windows SharePoint Services installed as a single server
On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.
Add the FQDN or NetBIOS name of the server that cannot access the RMS server to the ACL of the ServerCertification.asmx file, and assign it the Read & Execute permission.
For a Web farm installation of Windows SharePoint Services 3.0, the Server Certification service running on the RMS server must be configured with the service account used by each Web application that is IRM-enabled.
Note
You must know the exact service account name or names before performing the following steps. If you do not know the exact service account names that you need, see the "To discover the correct service account name" procedure before continuing.
To configure the RMS server to accept requests from Windows SharePoint Services 3.0 installed in a farm
On the RMS server, navigate to the folder containing the ServerCertification.asmx file. This file is typically located in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.
Add each service account assigned to an application pool for the Web application on the server that cannot access the RMS server to the ACL of the ServerCertification.asmx file, and assign it the Read & Execute permission.
Note
If the server farm uses multiple application pools, each application pool’s service account must be added to the RMS server ServerCertification.asmx file.
If the front-end Web server has not been configured on the RMS server, an error message appears that states that the computer running Windows SharePoint Services 3.0 could not authenticate against the RMS server. In this error message, the FQDN or NetBIOS name of the server or the service account that you must register with the RMS server will appear.
Note
if you are using multiple application pools that use different service accounts, only the service account for the SharePoint Central Administration site will appear.
Check RMS server status and settings
This problem might be caused by a problem with the availability or health of the RMS server. You can check the health of the RMS server by using the procedures below:
You must be a member of the SharePoint Administrators group to perform the following task.
To check IRM settings in Central Administration
In Central Administration, on the top navigation bar, click Operations.
On the Operations page, in the Security Configuration section, click Information Rights Management.
On the Information Rights Management page, perform one of the following steps:
If your organization specifies the RMS server in Active Directory, verify that Use the default RMS server specified in Active Directory is selected.
If you are manually specifying the location of the RMS server, verify that Use this RMS server is selected and that the URL specified for the RMS server that you want to use is correct.
To check the health and availability of the RMS server
Browse to http:// (or https://)<RMS server>/_wmcs/certification/servercertification.asmx where <RMS Server> is either the FQDN or NetBIOS name of the RMS server.
If the page is not successfully loaded, the RMS server is not operational and the problem is not specific to the site.
If the RMS server is down for maintenance or otherwise inoperative, normal operations might resume after the server is back online. In this case, it is not necessary to make any changes in Windows SharePoint Services 3.0.
Delete stored licenses
The stored licenses might be corrupt. You must delete the current licenses. They will be automatically re-created. You must be a member of the SharePoint Administrators group to stop and start the Windows SharePoint Services 3.0 Web application. You must have write access to the license directories to delete these directories.
Note
Restarting IIS will render all the Web content on that server unavailable to users while it is starting up. You might want to restart IIS during a regularly-scheduled service time.
To perform steps 1 and 4, you must be a member of the Administrators group on the local computer. To perform step 3, you must have Write permissions to the directory.
To delete stored licenses
Stop the Windows SharePoint Services 3.0 Web application by running the following command at the command prompt.
iisreset /stop
On the Windows SharePoint Services 3.0 front-end Web server, navigate to the %allusersprofile%\Application Data\Microsoft\DRM\Server\ folder
Delete all folders named after the Windows SharePoint Services 3.0 application pool identity account. The application pool identity is the user account that Windows SharePoint Services 3.0 is running under.
Restart the Windows SharePoint Services 3.0 process by running the following command at the command prompt.
iisreset /start
Reload IRM manifests
To reload the IRM manifests provided with Windows SharePoint Services 3.0, you must reinstall Windows SharePoint Service 3.0. If the problem persists after reinstallation, check the server for malicious software.
Important
Before reinstalling Windows SharePoint Services 3.0, it is highly recommended that you back up all data on the affected server.
To perform this procedure, you must be a member of the Administrators group on the local computer.
Verify
To verify that this problem is resolved, users should download and then re-upload a file from a rights-managed document library. If successful, then the problem is resolved.
To activate Information Rights Management on a document library, navigate to that library’s Document Library Settings page. Click Information Rights Management and select Restrict permission to documents in this library on download.
You must be a site administrator to perform this task.
Related Management Information
Information Rights Management (Health model)