Enrolling with the Microsoft Federation Gateway

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

In order to use the Microsoft Federation Gateway, after you add Microsoft Federation Gateway Support, you must enroll your Active Directory Rights Management Services (AD RMS) cluster with the Microsoft Federation Gateway. After this, you must configure and enable Microsoft Federation Gateway Support. The following procedure explains this process.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enroll the AD RMS cluster and enable Microsoft Federation Gateway Support

1. Do one of the following:

   • To enroll by using the default AD RMS cluster certificate, at the Windows PowerShell command prompt, type:

     Install-RmsMfgEnrollment

   • To enroll by using a different certificate, at the Windows PowerShell command prompt, type:

     Install-RmsMfgEnrollment -CertificateThumbprint<thumbprint>

     where <thumbprint> is a string containing the thumbprint hash of the certificate being used to enroll with the Microsoft Federation Gateway.

Important

If you use a certificate that contains a subject alternate name (SAN), the last entry in the SAN list must be the fully qualified domain name of the domain you want to enroll with the Microsoft Federation Gateway.

2. On all servers in the AD RMS cluster, perform the task described in Granting the AD RMS Service Group Permission to the SSL Certificate.

3. Perform the following tasks, as needed:

   • Setting the Microsoft Federation Gateway RAC Validity Period

   • Managing the Microsoft Federation Gateway Licensing Filter List

   • Managing the Microsoft Federation Gateway Publishing Filter List

4. At the Windows PowerShell command prompt, type:

   Set-ItemProperty -Path<drive>:\TrustPolicy\MicrosoftFederationGateway -Name IsEnabled -Value $true

   where <drive> is the name of the Windows PowerShell drive.

To avoid conflicts, you should not enroll your AD RMS cluster with the Microsoft Federation Gateway by using the same URL that has been used to federate another resource with the Microsoft Federation Gateway. Other federated relationships to the Microsoft Federation Gateway can include (but are not limited to) federations to Microsoft Online and Microsoft Exchange Server. If you have already used the URL that your AD RMS cluster uses as its external URL to federate with the Microsoft Federation Gateway for another purpose, you must enroll the AD RMS cluster with the Microsoft Federation Gateway by creating and using a certificate that contains the AD RMS URL as the last entry in the SAN and with a common name (CN) that is not the same as the registered resource. For example, if the DNS name of your AD RMS server is resource.contoso.com, and if that name has already been used by another resource that has been federated to the Microsoft Federation Gateway, you can create a certificate in the following format to avoid federation conflicts:

Subject: CN=adrmsservice.contoso.com
      SAN:
             DNS Name=adrmsservice.contoso.com
             DNS Name=resource.contoso.com

See Also

Concepts

Installing Microsoft Federation Gateway Support
Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Configuring Microsoft Federation Gateway Support