Users cannot open or create content that is protected by Active Directory Rights Management Services, and an error code 12057 is logged

Applies to: Windows Server Standard 2016Windows Server 2012 StandardWindows Server 2012 R2 Standard More

Symptoms

Consider the following scenario:
  • You use Active Directory Rights Management Services (AD RMS) to protect content.
  • In your deployment, Secure Sockets Layer (SSL) authentication is required by the Rights Management Server.
  • A user tries to open or create some content that is protected by AD RMS.
In this scenario, the operation that the user is trying to complete fails.

If you search the Debug View logs on the Rights Management Services (RMS) client, you find an error 0x8004cf3b that has an error code 12057. If you map the error code to the corresponding WinInet error code, this error is an ERROR_INTERNET_SEC_CERT_REV_FAILED error.

Cause

This problem occurs because the SSL certificate has an invalid Certificate Revocation List (CRL) Distribution Point (CDP) specified. Therefore, the Cryptographic API revocation that checks for this certificate fails.

Resolution

To resolve this problem, make sure that the SSL certificate uses the correct CRL.