Set Permissions on the AD RMS Server Certification Pipeline
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1
By default, only the local system account has permission to access the Active Directory Rights Management Services (AD RMS) server certification pipeline (ServerCertification.asmx). IRM features in Exchange 2010 require that Exchange servers and the AD RMS Service Group be granted permissions to read and execute this file on all servers in the AD RMS cluster.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To give Exchange servers permissions to access the server certification pipeline
Log on to a server in the AD RMS cluster.
Click Start, and then click Computer.
Navigate to %systemdrive%\Inetpub\wwwroot\_wmcs\Certification.
Right-click ServerCertification.asmx, and then click Properties.
In the ServerCertification.asmx Properties dialog box, click the Security tab.
Click the Continue button or the Edit button.
In the Permissions for ServerCertification.asmx dialog box, click Add.
In the Select User, Computer, Service Account, or Group dialog box, click Object Types, select the Computers check box, and then click OK.
Type Exchange Servers to add the Exchange Servers group, or type the names of the Exchange servers that you want to add, separated by semicolons.
Click Check Names, and then click OK.
Under Allow, make sure that the Read & execute and the Read check boxes are selected.
If the AD RMS Service Group does not appear in the Group or user names list, repeat steps 6–11 to add it.
Click OK to close all dialog boxes.
Repeat steps 1–14 on all other servers in the AD RMS cluster.