RMS Connector vs. Exchange 2010 IRM

2020/03/09 | 1 minute read |

Scenario

MSFT on Microsoft Rights Management (RMS) connector

“The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.”

To authorize Exchange 2010 servers to use the RMS connector, on the RMS connector administration tool, you specify the “Exchange Servers” Security Group as a group of objects that are authorized, taking advantage of the fact that Exchange automatically manages the membership of this group to maintain a list of all Exchange servers in the forest.

Then you use a script, named “server configuration tool for Microsoft RMS connector (GenConnectorConfig.ps1)”, to set the required registry entries on all servers that will interact with the RMS connector.

For Exchange 2010:

.\GenConnectorConfig.ps1 -ConnectorUri 'https://rmsconnector.contoso.com' -SetExchange2010

Problem

Afterwards, when trying to enable IRM on Exchange 2010, by using the below command, I got the error: “String cannot be of zero length. Parameter name: oldValue”

Set-IRMConfiguration -ClientAccessServerEnabled $True -InternalLicensingEnabled $True

Solution

Using Process Monitor I couldn’t spot the red flag, given that there wasn’t an obvious failure to access a specific registry entry or another type of system resource.

It ended up being a problem with the ‘(Default)’ key on ‘HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \ExchangeServer \v14 \IRM \CertificationServerRedirection’ and on ‘HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ ExchangeServer\ v14\ IRM\ LicenseServerRedirection’, which had a value set by GenConnectorConfig.ps1 for a previously used RMS connector endpoint - ‘http://rmsconnector’. After clearing the data value for both keys the above Powershell command ran successfully.

Leave a comment