AD RMS Client Service Discovery
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Active Directory Rights Management Services (AD RMS) client service discovery is the method by which the AD RMS client discovers an AD RMS cluster. There are three ways in which this can occur:
Active Directory Domain Services (AD DS) service connection point (SCP) automatic service discovery. This is the recommended way to deploy an AD RMS environment. In this scenario, an SCP is created in the Active Directory forest where the AD RMS cluster is installed. When the AD RMS client attempts user activation on the computer, it queries the SCP to find the AD RMS cluster and download the rights account certificate (RAC). With automatic service discovery, no additional configuration is required on the AD RMS client.
AD RMS client registry overrides. In complex AD RMS deployment topologies, more specific control of the AD RMS client is required. For versions of the Rights Management Services (RMS) client running on Windows XP, Windows 2000, or Windows Server 2003, these overrides are required for topologies where multiple Active Directory forests are deployed. Another example of where client registry overrides can be used is to support extranet users. In these cases, client registry overrides are created on the AD RMS client to force either certification or licensing of rights-protected content from an AD RMS cluster that is different from the one published in the SCP. The AD RMS client registry overrides used to override the SCP are created in:
The client registry override keys are the following:
Activation. This key is used to override the default AD RMS certification service that is configured in the SCP. This key should contain a single value, the "(Default)" (Type: REG_SZ) value, which should contain the URL of your cluster in the format "http(s)://<your cluster>/_wmcs/certification where <your cluster>" is the URL of the certification cluster that should be used for certification.
EnterprisePublishing. This key is used to override the default AD RMS licensing service to which the AD RMS client connects to acquire a Client Licensor Certificate to protect content. This key should contain a single value, the "(Default)" (Type:REG_SZ) value, which should contain the URL of your cluster in the format "http(s)://<your cluster>/_wmcs/licensing" where <your cluster> is the URL of the cluster your client should connect to obtain the CLC. This is also the URL that will be stamped in all the content protected by this client so others can acquire licenses for it.
The client registry overrides are configured as registry keys. The value of these registry keys should be added to the default entry of the registry key of type REG_SZ.
- If the AD RMS client computer is connecting by using a federated trust, you must configure the federation home realm. The registry key is: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\MSDRM\\Federation** Within this registry key create an registry entry named FederationHomeRealm of type REG\_SZ. The value of this registry entry is the federation service URI.
- Examine issuance license for extranet URLs. The last method for AD RMS client service discovery is by means of the issuance license. When rights-protected content is published, the intranet as well as the extranet licensing service URLs are added to the issuance license. When an AD RMS client opens the rights-protected content for the first time and the other methods of service discovery are not available, the client can retrieve the licensing URLs from the issuance license.