To Trust Passport-Based Rights Account Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Microsoft provides an account certification service that uses Microsoft .NET Passport credentials to establish the rights account certificate for the user. If you want users with rights account certificates from that service to be able to obtain use licenses from your RMS cluster, you need to set up a trusted user domain that accepts user credentials from the account certification service of Microsoft.

To use this feature you must configure Internet Information Services to allow anonymous access to the RMS licensing service. This step is essential for external users since the licensing service is configured to use Integrated Windows authentication by default. If anonymous access is not set, external users with Passport-based Rights Account Certificates (RACs) will not be able to get licenses.

Trusting Passport-Based Rights Account Certificates

To enable anonymous access to the RMS licensing service

  1. Open the Internet Information Services (IIS) Manager snap-in and expand the server that is hosting RMS.

  2. In the console tree, expand Web sites and then expand the Web site on which you have configured RMS. By default this is the Default Web site.

  3. In the console tree, expand the _wmcs Web site and then select the licensing virtual directory.

  4. Right-click the licensing virtual directory and select Properties.

  5. In the Licensing Properties dialog box, click the Directory Security tab.

  6. Click Edit in the Authentication and access control area.

  7. Select the Enable Anonymous Access check box.

To Trust Passport-Based Rights Account Certificates

  1. Open the Global Administration page, and then, next to the Web site on which you want to trust Passport-based rights account certificates, click Administer RMS on this Web site.

  2. In the Administration links area, click Trust policies.

  3. In the Trusted user domains area, click Trust Passport RACs. The Microsoft RM Certification Service appears in the Trusted user domain list.

  4. Optionally, you can exclude users based on their e-mail addresses. To do this, click Excluded identities, and then type the e-mail address of the user whom you do not trust.