To Enable Certification of Server Services

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To perform this procedure, you must be logged on locally to the Administration Web site with a domain user account that is a member of the Administrators group. As a security best practice, consider using Run as to perform this procedure.

This procedure is applicable only on the root cluster.

This procedure assumes that you have created a user group that contains the user accounts that the server services will be impersonating when they consume rights-protected content.

Enabling Certification of Server Services

To Enable Certification of Server Services

  1. Log on to computer as a member of the local administrators group.

  2. Open a file system browser and navigate to the <system drive>:\Inetpub\wwwroot\_wmcs\Certification folder.

  3. To enable server services to receive rights account certificates (RACs), right-click the ServerCertification.asmx file and then click Properties.

  4. On the Security tab, click Add and add the group you created for this category of users and the RMS Service Group.

  5. In the Permissions lists for the groups, select the Allow check box for Read & Execute permissions and then click OK.

  6. Steps 1 - 4 should be repeated for each server in the cluster.


For Microsoft Exchange Server 2007, you must add every bridgehead server's Active Directory computer object to the Discretionary Access Control list (DACL) of ServerCertification.asmx. Similarly for Microsoft Office SharePoint ServerĀ 2007, you must add the Office SharePoint ServerĀ 2007 server Active Directory computer object to this DACL. It is recommended to add a security group to this DACL and add the appropriate computer objects to it.