If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:

  • Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

  • Set the Service Principal Names (SPN) value for the AD RMS service account

Membership in the AD RMS Enterprise Administrators and the Enterprise Admins group in AD DS, or equivalent, is the minimum required to complete this procedure.

Set the IIS useAppPoolCredentials value to True
  1. Open an elevated command prompt window. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Navigate to %windir%\system32\inetsrv.

  3. Type appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true.

Important

To perform the following procedure successfully, the AD RMS service account must be in the same forest as the AD RMS cluster. Also, if you change the AD RMS service account, you must delete the SPN registrations for the previous service account and then perform this procedure for the new service account.

Set the Service Principal Names (SPN) value for the AD RMS service account
  1. Open an elevated command prompt window. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Type setspn -a HTTP/<ServerName> <ServiceAccountDomain>\<ServiceAccount>, where <ServerName> is the name of the server, <ServiceAccountDomain> is the name of the domain containing the AD RMS service account, and <ServiceAccount> is the name of the AD RMS service account.

  3. Type setspn -a HTTP/<ServerFQDN> <ServiceAccountDomain>\<ServiceAccount>, where <ServerFQDN> is the fully qualified domain name (FQDN) of the server.

  4. Type setspn -a HTTP/<ClusterName> <ServiceAccountDomain>\<ServiceAccount>, where <ClusterName> is the name of the AD RMS cluster.

  5. Type setspn -a HTTP/<ClusterFQDN> <ServiceAccountDomain>\<ServiceAccount>, where <ClusterFQDN> is the fully qualified domain name (FQDN) of the cluster.

Note

If the cluster is using Secure Sockets Layer (SSL), repeat steps 2 through 5, substituting HTTPS for HTTP.

Additional reference

Table Of Contents