Using Smart Cards to Authenticate Clients
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you are using smart cards in your organization to provide additional security and control over user credentials, you can now use those smart cards when obtaining rights account certificates and use licenses from RMS. To configure the RMS root cluster to require client authentication, you need to enable Secure Sockets Layer (SSL) for the Web site on which you provisioned RMS and configure the authentication method in Internet Information Services (IIS). You can use the following steps to perform this task:
To enable smart card authentication on RMS server
Log on to RMS server as local administrator.
Click Start, point to Administrative Tools, and then click Internet Information Services Manager.
Expand the item with the name of a cluster server, right-click the Web site folder, click Properties, and then click the Directory Security tab.
In the Authentication and access control area, click Edit, clear all check boxes, and then click OK.
In the Secure Communications area, click Edit, select the Enable the Windows directory service mapper check box, and then click OK.
Expand the Web site folder, expand the _wmcs virtual directory, and then expand the virtual directory (either Licensing or Certification) for which you want to configure authentication.
To configure smart card authentication for licensing, right-click license.asmx, click Properties, and then click the File Security tab.
To configure authentication for certification, right-click certification.asmx, click Properties, and then click the File Security tab.
In the Secure Communications area, click Edit to open the Secure Communications dialog box.
Select the Require secure channel (SSL) check box, and then click one of the following:
Require client certificates, if you want only clients with client-side certificates such as smart cards to be able to connect to the service.
Accept client certificates,if you want clients to have the option to supply authentication credentials using either a smart card certificate or a user name and password.
Select Enable client certificate mapping, and then click OK.
If you want to use client authentication for both certification and licensing, repeat steps 5–8, but select the alternate virtual directory the second time.
If there is more than one RMS server in the cluster in which you are enabling smart card authentication, repeat this procedure for each server in the cluster.
After these settings have been configured, a user who attempts to open RMS-protected content that is published by this server is prompted to provide authentication credentials before the RMS cluster will provide the user with a rights account certificate or use license.