Microsoft provides an account certification service that uses Windows Live ID to establish the rights account certificate (RAC) for the user. If you want users with RACs from that service to be able to obtain use licenses from your Active Directory Rights Management Services (AD RMS) cluster, you need to set up a trusted user domain that accepts user credentials from Microsoft’s online RMS service.

To use this feature you must configure Internet Information Services (IIS) to allow access to the AD RMS licensing service, for example, by allowing anonymous access. This step is essential because the licensing service is configured to use Windows Integrated authentication by default. If IIS is not configured to allow access to the AD RMS licensing service, users with Windows Live ID-based RACs will not be able to acquire licenses.

If necessary, after they are configured, you can filter (allow or block) users of this service based on their e-mail addresses.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable anonymous access to the AD RMS licensing service
  1. Log on to a server in the AD RMS cluster.

  2. Open the Internet Information Services (IIS) Manager console and expand the server that is hosting AD RMS.

  3. In the console tree, expand Web sites and then expand the Web site on which you have configured AD RMS. By default this is the Default Web site.

  4. In the console tree, expand the _wmcs Web site and then select the licensing virtual directory.

  5. In the results pane, double-click Authentication to open the Authentication page.

  6. Select Anonymous Authentication and then, under Tasks, select the Enabled checkbox and then click Save.

  7. Repeat steps 1-6 for each server in the AD RMS cluster.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To trust Windows Live ID-based rights account certificates
  1. Log on to a server in the AD RMS cluster.

  2. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  3. In the console tree, expand Trust Policies, and then click Trusted User Domains.

  4. In the Actions pane, click Trust Windows Live ID. The Windows Live ID certificate appears in the Trusted user domain list in the results pane.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To specify Windows Live ID e-mail users and domains to allow or block
  1. Log on to a server in the AD RMS cluster.

  2. Open the AD RMS snap-in and expand the AD RMS cluster.

  3. In the console tree, expand Trust Policies, and then click Trusted User Domains.

  4. Select the Windows Live ID certificate in the results pane, and then in the Actions pane, click Properties.

  5. Click the Filtered Windows Live IDs tab.

  6. Do one of the following:

    • To create a list of users and domains that will be allowed to receive licenses, click Allow.

    • To create a list of users and domains that will be blocked from receiving licenses, click Block.

  7. Type the user e-mail address (in the form user@domain.com) or domain name (in the form domain.com) to be added to the filter list, and then click Add. You can also use an asterisk (*) to specify all users and domains.

  8. Repeat the previous step for all e-mail users and domains that should be allowed or blocked.

  9. Click OK to apply the filter list to the cluster.

Additional references

Table Of Contents