Grant the AD RMS Service Group Permission to the SSL Certificate

Applies To: Windows Server 2012

After enrolling the cluster with the Microsoft Federation Gateway or updating the token decryption certificate, you must grant the AD RMS Services group permission to access the token decryption certificate on all servers in the cluster.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To grant permission to the AD RMS Services group for the SSL certificate

1. Log on to a server in the AD RMS cluster.

2. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

3. In the console tree, expand Trust Policies , and then click Microsoft Federation Gateway Support .

4. In the Actions pane, click Grant permissions to token decryption certificate on this server .

Note

If this link is not present in the Actions pane, the necessary permission has already been granted on this server.

5. Repeat steps 1-4 on all other servers in the cluster.

Additional considerations

• You can also perform the task described in this procedure by using Windows PowerShell. For more information about Windows PowerShell for AD RMS, see https://go.microsoft.com/fwlink/?LinkId=136806.

Additional references

• Installing Microsoft Federation Gateway Support

• Update a Microsoft Federation Gateway Support Certificate

• Checklist: Deploying AD RMS with Microsoft Federation Gateway Support