Discovery of the Account Certification Service

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The RMS Account Certification service grants rights account certificates to users. Each rights account certificate (RAC) is valid only for a specific computer or device and requires that the user requesting the certificate have a valid machine certificate.

Only the root cluster runs the account certification service. To make an account certification request, a client first retrieves the URL to Certification virtual directory of the root cluster, where the account certification service is located, from Active Directory. It then appends the path to the account certification service.

For example, the Certification URL of the root cluster is stored in Active Directory in the following form:


When a client requests a rights account certificate, it appends the account certification service file name to the URL, as follows:



If you have enabled SSL on the servers in the RMS root cluster, these URLs will use the https:// connection protocol.