I was asked to look at an IRM issue for one of our clients. When users were trying to open IRM protected document they received an error that the document could not be protected.
After analyzing the current setup and the standard TechNet documentation, I did not perform the installation of this farm, I started troubleshooting. The eventlog stated that the User did not have a valid email adres.
After checking the hidden user list (http://site/_catalogs/users/simple.aspx) I discovered that the user that I used for testing did not have an email address filled in. Second step that I checked is if the email was available in the user properties in the User Profile Service which lead to the same result.
The third step was looking for the AD sync setup which appeared to be installed, but it was not configured. After configuration and setting up an import connection (not a sync) users were able again to download IRM protected documents.