Share via


About Microsoft Federation Gateway Support Certificates

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

This topic describes the certificates used by Microsoft Federation Gateway Support and briefly explains why you might need to manage them and how to do so.

When you add Microsoft Federation Gateway Support to the servers in your Active Directory Rights Management Services (AD RMS) cluster and enroll the cluster with the Microsoft Federation Gateway, two certificates are exchanged between your AD RMS cluster and the Microsoft Federation Gateway: a token decryption certificate and the Microsoft Federation Gateway certificate.

The token decryption certificate is an X.509 certificate that the AD RMS cluster uses to establish its identity to the Microsoft Federation Gateway. The Microsoft Federation Gateway uses this certificate when encrypting the security tokens that it sends to your AD RMS cluster. The token decryption certificate is the SSL certificate that you specify when you enroll your AD RMS cluster with the Microsoft Federation Gateway. Typically, the certificate that you specify as the token signing certificate is the SSL certificate that you use to configure the SSL (https://) URL for the AD RMS cluster. If you use different SSL connections for your intranet and extranet URLs, you must use the SSL certificate used to configure the extranet URL. Whenever you change the certificate that you use to configure the external URL of the AD RMS, you must immediately update the Microsoft Federation Gateway Support token decryption certificate.

The Microsoft Federation Gateway certificate is the certificate that the AD RMS cluster receives from the Microsoft Federation Gateway when the cluster is enrolled with the Microsoft Federation Gateway. The Microsoft Federation Gateway uses this certificate to sign the tokens that it sends to the AD RMS cluster. Normally, it is not necessary to update this certificate manually unless your Microsoft Federation Gateway cluster is unable to do so automatically.

A third type of certificate that affects how Microsoft Federation Gateway Support operates is the rights account certificate (RAC). A standard RAC identifies a user by account credentials in the context of a specific computer or device and has a validity time measured in number of days. The default validity time for a standard RAC is 365 days. Because your organization might have different requirements for RACs issued to internal users and RACs issued to external (federated) users, you can change the default validity time for RACs issued by your AD RMS cluster to users federated through the Microsoft Federation Gateway.

Additional references