AD RMS can provide rights account certificates (RACs) and use licenses to AD RMS-enabled applications that are running Windows Mobile 6. There are a few things that you should be aware of when configuring mobile services:

  • Discretionary access control lists (DACLs) on the AD RMS pipelines use the most secure settings by default. You must modify the DACL when using AD RMS mobile services.

  • Many mobile services use advanced Active Directory Domain Services (AD DS) functionality that is available only if all AD DS domain controllers are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. If you are using any mobile services, we recommend that all domain controllers are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, and that both the domain and forest Active Directory functional levels are at least at Windows Server 2003.

In a default AD RMS installation, the DACL of the AD RMS mobile certification pipeline is restricted, which means an application cannot obtain certificates and licenses for their users. However, if you have an AD RMS-enabled application for these computers, you can enable them to participate in your AD RMS system by configuring the DACLs on the AD RMS mobile certification pipeline.

AD RMS-enabled mobile applications can connect to the AD RMS mobile certification server by using the MobileDeviceCertification.asmx file.


If there is more than one AD RMS server in the AD RMS cluster, the DACL on the mobile certification service must be changed on each server in the cluster.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable certification of mobile devices
  1. Open Windows Explorer and navigate to the folder where Internet Information Services was installed. By default, the folder path is %systemdrive%\Inetpub\wwwroot\_wmcs\Certification folder.

  2. To enable mobile devices to receive RACs, right-click the MobileDeviceCertification.asmx file, and then click Properties.

  3. On the Security tab, click Add, and then add the user account object of the AD RMS-enabled mobile application and the AD RMS Service Group.

  4. In the Permissions list for the groups, select the Allow check box for both Read and Read & Execute permissions, and then click OK.


    If several servers are hosting AD RMS-enabled mobile applications, consider creating a group, adding all of the user objects to this group, and then adding the group to the ACL of the certification pipeline instead.

  5. Restart Internet Information Services by running IISRESET at a command prompt to implement the changes on the DACLs on the Web services. Do this on each server in the AD RMS cluster.

Additional reference