Microsoft provides an account certification service that uses Windows Live ID to establish the rights account certificate (RAC) for the user. If you want users with RACs from that service to be able to obtain use licenses from your Active Directory Rights Management Services (AD RMS) cluster, you need to set up a trusted user domain that accepts user credentials from Microsoft’s online RMS service.

To use this feature you must configure Internet Information Services (IIS) to allow access to the AD RMS licensing service, for example, by allowing anonymous access. This step is essential because the licensing service is configured to use Windows Integrated authentication by default. If IIS is not configured to allow access to the AD RMS licensing service, users with Windows Live ID-based RACs will not be able to acquire licenses.

If necessary, after they are configured, you can exclude users of this service based on their e-mail addresses.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable anonymous access to the AD RMS licensing service

  1. Log on to a server in the AD RMS cluster.

  2. Open the Internet Information Services (IIS) Manager console and expand the server that is hosting AD RMS.

  3. In the console tree, expand Web sites and then expand the Web site on which you have configured AD RMS. By default this is the Default Web site.

  4. In the console tree, expand the _wmcs Web site and then select the licensing virtual directory.

  5. In the results pane, double-click Authentication to open the Authentication page.

  6. Select Anonymous Authentication and then, under Tasks, select the Enabled checkbox and then click Save.

  7. Repeat steps 1-6 for each server in the AD RMS cluster.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To trust Windows Live ID-based rights account certificates

  1. Log on to a server in the AD RMS cluster.

  2. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  3. In the console tree, expand Trust Policies, and then click Trusted User Domains.

  4. In the Actions pane, click Trust Windows Live ID. The Windows Live ID certificate appears in the Trusted user domain list in the results pane.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To specify Windows Live ID e-mail domains to exclude

  1. Log on to a server in the AD RMS cluster.

  2. Open the AD RMS snap-in and expand the AD RMS cluster.

  3. In the console tree, expand Trust Policies, and then click Trusted User Domains.

  4. Select the Windows Live ID certificate in the results pane, and then in the Actions pane, click Properties.

  5. Click the Excluded Windows Live IDs tab.

  6. Type the e-mail domain to be excluded.

  7. Click Add to add the specified object to the exclusion list.

  8. Repeat steps 5–7 for all e-mail domains that should be excluded.

  9. Click OK to apply the exclusion list to the cluster.

Additional references

  • Export a Trusted Publishing Domain
  • Managing the AD RMS databases