Event ID 208 — AD RMS Cluster Configuration
Applies To: Windows Server 2008
Servers in an Active Directory Rights Management Services (AD RMS) cluster are configured to both send and receive requests from AD RMS clients, other servers in the AD RMS cluster, and the AD RMS databases.
Event Details
Product: | Windows Operating System |
ID: | 208 |
Source: | Active Directory Rights Management Services |
Version: | 6.0 |
Symbolic Name: | AuthenticationNotEnabledEvent |
Message: | Authentication is not enabled on one of the required Active Directory Rights Management Services (AD RMS) entry points. |
Resolve
Disable anonymous authentication on servicelocator.asmx or enable AD FS UPN and E-mail claims
Use the following sections to disable anonymous authentication on an AD RMS entry point, enable an AD FS UPN claim, and enabled an AD FS E-mail claim.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
Disable anonymous authentication on servicelocator.asmx
To disable anonymous authentication on servicelocator.asmx:
- Log on to the AD RMS server.
- Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Expand the local computer node, and then expand Sites.
- Expand Default Web Site, expand _wmcs.
- Right-click Certification, and then click Switch to Content View.
- Right-click ServiceLocator.asmx, and then click Switch to Features View.
- Double-click Authentication.
- Right-click Anonymous Authentication, and then click Disable.
- Repeat steps 4 - 8 for each instance of servicelocator.asmx located in the AD RMS virtual directory.
- Repeat steps 1 - 9 for each server in the AD RMS cluster.
Enable an AD FS UPN Claim
To enable an AD FS UPN Claim:
- Log on to the AD FS server.
- Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Expand Trust Policy, and then expand Partner Organizations.
- Click the account partner, right-click User Prinicipal Name, and then click Properties.
- Select the Enabled check box.
- Select the Accept some domain suffixes option.
- In the Specify accepted domains box, type the domain suffix of each user domain that should be able to consume rights-protected content on a new line, and then click OK.
Enable an AD FS E-mail Claim
To enable an AD FS E-mail Claim:
- Log on to the AD FS server.
- Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Expand Trust Policy, and then expand Partner Organizations.
- Click the account partner, right-click E-mail, and then click Properties.
- Select the Enabled check box.
- Select the Accept some domain suffixes option.
- In the Accepted domains box, type the accepted domain of each user domain that should be able to consume rights-protected content on a new line, and then click OK.
Verify
To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.
Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.
To verify that AD RMS is configured correctly, do the following:
- Log on to an AD RMS-enabled client computer.
- Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
- In the new document type This is a test document.
- Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
- Select the Restrict permissions to this document check box.
- Type another AD RMS user's e-mail address in the Read box, and then click OK.
- Send this file to the person who was granted access in step 6.
- Have this person open the document and verify that he or she cannot do anything else with the document such as print it.