No permission to sub-enroll

KB Reference: SOX040105700075

Title: Provisioning RMS throws "You do not have permission to sub-enroll to the root server"

Publication Date: 01/05/2004

When trying to provision RMS, you get the following error:

• "You do not have permission to sub-enroll to the root server"

During Provisioning RMS may throw the following Exceptions:

Windows Rights Management Services could not be provisioned on this server.

An error occurred during the provisioning process. Any changes made during the provisioning process have been rolled back. See Windows Rights Management Services Help for more information about the provisioning process.

You do not have permission to sub-enroll to the root server 'http://<rmsserver>/_wmcs/Certification/SubEnrollService.asmx'. Contact your system administrator.

at Microsoft.DigitalRightsManagement.Configuration.SubEnrollment.Enroll() at Microsoft.DigitalRightsManagement.Configuration.ProvisioningBase.Enroll() at Microsoft.DigitalRightsManagement.Configuration.ProvisioningBase.Run() at Microsoft.DigitalRightsManagement.Configuration.UI.ProvisionCommon.Page_Load(Object sender, EventArgs e)

InnerException

The request failed with HTTP status 404: Not Found.

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.DigitalRightsManagement.
Public.Soapinterfaces.SubEnrollment.SubEnrollService.SubEnroll(SubEnrollParameters oInput) at Microsoft.DigitalRightsManagement.
Configuration.SubEnrollment.Enroll()

Watch a demonstration of this problem being resolved.

When you go to the provisioning page, the title is probably:

• "Provision the RMS Licensing Server" and not
• "Provision the RMS Root Certification Server"

An RMS licensing server is a subordinate server under the Root RMS Certification Server and is used only in advanced RMS installations. Chances are good that you desire to provision a Root RMS Certification Server instead.

This problem occurs because a RMS Root Certification Server was previously installed on the network and the Service Connection Point (SCP) is still registered in Active Directory (AD) from that installation. The RMS Administration will not allow you to provision a RMS Root Certification server if the SCP is detected. It will prompt you to create a sub-licensing server instead.

Note: If you are reinstalling RMS or installing an RMS hotfix and you still want to keep the previous RMS configuration, you should use the "Add this server to a cluster" option instead of "Provision RMS on this web site." See SOX041014700084.

• There are a couple of ways to fix the "Provision the RMS Licensing Server" problem.
  1. On the DC, run "Active Directory Sites and Services" snapin
  2. Click on the View menu option and select "Show Services Node"
  3. A services Node appears in the left pane. Expand it and delete the RightsManagementServices node.
  4. Restart the RMS Administration provisioning and verify that "Provision the RMS Root Certification Server" is displayed and not "Provision the RMS licensing server."
  5. Provision RMS as normal

• However, due to AD replication issues, the result might not be immediate. Or you might not have sufficient permission to modify Active Directory. If the RMS Administration still prompts to create a licensing server, you can override this behavior and immediately provision a root server by doing the following:
  1. Click "Provision RMS on this web site."
  2. If the RMS Administration detects the Service Connection Point (SCP), it will display the page http://localhost:5720/ProvisionLicensing.aspx?sid=1.
  3. Change ProvisionLicensing.aspx to ProvisionCertification.aspx like this: http://localhost:5720/ProvisionCertification.aspx?sid=1.
  4. This will take you to the "Provision the RMS Root Certification Server" page.
  5. Provision the server as normal.