Event ID 174 — AD RMS Trust Policy Integrity
Applies To: Windows Server 2008 R2
Trust policies in Active Directory Rights Managemenet Services (AD RMS) allow users to share rights-protected content across Active Directory Domain Services (AD DS) forests that are either internal or external to the organization.
|Product:||Windows Operating System|
|Source:||Active Directory Rights Management Services|
|Message:||Universal Principal Name (UPN) claim is not present in the request. Enable UPN claim on the Active Directory Federation Services (AD FS) server.|
Enable AD FS UPN claim
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To enable an AD FS UPN Claim:
- Log on to the AD FS server.
- Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Expand Trust Policy, and then expand Partner Organizations.
- Click the account partner, right-click User Prinicipal Name, and then click Properties.
- Select the Enabled check box.
- Select the Accept some domain suffixes option.
- In the Specify accepted domains box, type the domain suffix of each user domain that should be able to consume rights-protected content on a new line, and then click OK.
To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.
Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.
To verify that the AD RMS trust policies are working correctly:
- Log on to an AD RMS-enabled client computer.
- Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
- In the new document type This is a test document.
- Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
- Select the Restrict permissions to this document check box.
- Type another AD RMS user's e-mail address in the Read box, and then click OK.
- Send this file to the person who was granted access in step 6.
- Have this person open the document and verify that he or she cannot print it.