Managing Microsoft Federation Gateway Support

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

After you enroll your Active Directory Rights Management Services (AD RMS) cluster with Microsoft Federation Gateway Support, there is little additional management required, other than what is required to maintain the list of external organizations that can receive licenses from the AD RMS cluster. Also, it may be occasionally necessary to manage the certificates that Microsoft Federation Gateway Support uses.

To establish or terminate a trust relationship with an external organization, you manage two lists of domains, the Microsoft Federation Gateway Support licensing and publishing domains. The list of licensing domains consists of the user and domain names owned by external organizations that you want to allow AD RMS to issue licenses to or that you want to prevent from receiving licenses from your AD RMS cluster. The list of publishing domains contains the domain names that you want your AD RMS cluster to issue publishing licenses to. For more information about AD RMS licenses, see Understanding AD RMS Certificates.

AD RMS Microsoft Federation Gateway Support relies on two certificates to ensure the authenticity of the parties of the federated relationship between AD RMS and the external organizations whose identities are brokered by the Microsoft Federation Gateway. These certificates are the cluster SSL certificate that AD RMS uses as the token decryption certificate, the Microsoft Federation Gateway certificate that verifies the identity of the Microsoft Federation Gateway to the AD RMS cluster, and the rights account certificate (RAC) that AD RMS issues to identify a user who attempts to open rights-protected content. You can update the token decryption certificate (when the cluster SSL certificate is about to expire, for example) and the Microsoft Federation Gateway certificate, and you can change the length of time that AD RMS will recognize RACs that are issued to federated users.

Finally, you can control how Microsoft Federation Gateway Support functions by temporarily disabling Microsoft Federation Gateway Support, or you can terminate the federation relationship between the AD RMS cluster and the Microsoft Federation Gateway altogether.

This section provides information and instructions to help you with the following management tasks: