Contents AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3 Microsoft Federation Gateway Support Overview... 4 Deploying and Configuring Microsoft Federation Gateway Support... 4 Checklist: Deploying Microsoft Federation Gateway Support... 5 Important considerations for installing AD RMS Microsoft Federation Gateway Support... 6 Adding Microsoft Federation Gateway Support... 8... 8 Enrolling and Enabling Microsoft Federation Gateway Support... 8... 9 Managing Microsoft Federation Gateway Support... 10 Managing Licensing Domains... 11... 11 Managing Publishing Domains... 11... 12 Managing Microsoft Federation Gateway Support Certificates... 12 About Microsoft Federation Gateway Support Certificates... 12... 13 Updating the Token Decryption Certificate... 13... 14 Updating the Microsoft Federation Gateway Certificate... 15... 15 Setting the Microsoft Federation Gateway Support RAC Validity Period... 15... 16 Disabling Microsoft Federation Gateway Support... 16... 16 Terminating the Federation Relationship... 16... 17
Removing Microsoft Federation Gateway Support... 17... 18
AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide Microsoft Federation Gateway Support is a new feature of Active Directory Rights Management Services (AD RMS) introduced in Service Pack 1 (SP1) for Windows Server 2008 R2. Microsoft Federation Gateway Support enables an AD RMS cluster to federate to the Microsoft Federation Gateway, which acts as a trusted broker between organizations. By establishing these federation relationships, organizations can configure such applications as Microsoft Exchange Server 2010 with SP1 to be able to create messages that are secured by AD RMS and yet can still be accessed by users who belong to an external organization. Important Because of changes to the Microsoft Federation Gateway service, if you installed a prerelease version of Windows Server 2008 R2 SP1 and federated with the Microsoft Federation Gateway, you must terminate the federation with the Microsoft Federation Gateway and then enroll with the Microsoft Federation Gateway again. For more information, see Terminating the Federation Relationship and Enrolling and Enabling Microsoft Federation Gateway Support. This change must also be made on any federation partner, such as servers running Microsoft Exchange Server 2010 SP1, that were federated with the Microsoft Federation Gateway during the Windows Server 2008 R2 SP1 beta release period. For information about creating a federated trust between a Microsoft Exchange 2010 organization and the Microsoft Federation Gateway, see Create a Federation Trust (http://go.microsoft.com/fwlink/?linkid=203461). About this guide This guide is intended for AD RMS administrators who want to federate their AD RMS clusters with an external organization by using the Microsoft Federation Gateway. By following the checklist provided in this guide, you should be able to deploy Microsoft Federation Gateway Support on your AD RMS cluster and configure it to establish a federated relationship with one or more external organizations. This guide also provides information on managing Microsoft Federation Gateway Support and removing Microsoft Federation Gateway Support when it is no longer required. This guide contains the following subjects: Microsoft Federation Gateway Support Overview Deploying and Configuring Microsoft Federation Gateway Support Managing Microsoft Federation Gateway Support Removing Microsoft Federation Gateway Support 3
Microsoft Federation Gateway Support Overview The Microsoft Federation Gateway is an identity service that runs over the Internet and mediates between an organization or business and the external services that the organization wants to use. The gateway connects users and other identities to the services that it works with, so that an organization only has to manage a single identity-federation relationship to enable its identities to access all Microsoft and Microsoft-based services they want to use. The Microsoft Federation Gateway provides applications with a simple, standards-based method of establishing trust between separate organizations that uses SSL certificates to prove domain ownership. Because the organizations federate with the gateway instead of with each other, it is much easier for an organization to establish trust relationships with multiple partners than is possible when it uses conventional one-on-one federation or other trust relationships. The scope of Active Directory Rights Management Services (AD RMS) federation can be easily controlled by creating allow or deny lists of users and domains for licensing and by specifying the domains that can receive publishing licenses. This guarantees that only appropriate organizations are given access to protected information. Microsoft Federation Gateway Support in Windows Server 2008 R2 Service Pack 1 (SP1) enables AD RMS to federate with the Microsoft Federation Gateway to authenticate users for certification and licensing. For example, Microsoft Exchange Server 2010 SP1 is designed to take advantage of this capability by enabling messages protected by AD RMS to be sent between organizations that do not share an Active Directory Domain Services (AD DS) infrastructure. When the Exchange Server 2010 SP1 infrastructure is configured to take advantage of these features, users can send AD RMS protected e-mail messages to recipients outside the sender s organization, and those recipients can then view the messages by using Exchange Server 2010 Outlook Web App. Also, senders can grant permission to recipient organizations that use Exchange Server 2010 SP1 permission to decrypt content for such purposes as journaling and malware scanning. For more information about the Microsoft Federation Gateway, see Microsoft Federation Gateway (http://go.microsoft.com/fwlink/?linkid=196467) on MSDN. For more information about how to deploy Microsoft Federation Gateway Support on AD RMS, see Deploying and Configuring Microsoft Federation Gateway Support. Deploying and Configuring Microsoft Federation Gateway Support The topics in this section are designed to help you add Microsoft Federation Gateway Support to your Active Directory Rights Management Services (AD RMS) cluster. Some tasks, such as adding the Microsoft Federation Gateway Support service to an AD RMS server, are performed on each server in an Other tasks configure the entire cluster and need only be 4
performed on a single server in the cluster. Follow the steps in Checklist: Deploying Microsoft Federation Gateway Support to ensure that you perform each task correctly in the proper order. This section contains the following topics: Checklist: Deploying Microsoft Federation Gateway Support Adding Microsoft Federation Gateway Support Enrolling and Enabling Microsoft Federation Gateway Support Checklist: Deploying Microsoft Federation Gateway Support The following steps in this checklist describe the tasks required to install and configure Microsoft Federation Gateway Support on an Active Directory Rights Management Services (AD RMS) cluster. For more information about Microsoft Federation Gateway, see Microsoft Federation Gateway Support Overview. 1. If you have not already done so, on each server in the cluster assign a secure sockets layer (SSL) certificate to the Web site that is hosting the AD RMS cluster and configure the cluster to use SSL-encrypted connections. The certificate must be from a certification authority that is trusted by the Microsoft Federation Gateway. For more information, see Important considerations for installing AD RMS Microsoft Federation Gateway Support. 2. If you have rights policy templates that grant user rights to Anyone, you should consider modifying them to prevent granting rights to external users who are authenticated through the Microsoft Federation Gateway. For information on changing a rights policy template, see Edit a Rights Policy Template. 3. In order to ensure that you can recover your AD RMS cluster in case of a problem, you should back up your AD RMS databases. The AD RMS databases have names that begin with the DRMS_ prefix. The method and procedure you use to back up the databases will depend on the server on which they are stored and the procedure that you typically follow to back up the server databases. 4. On each server of the AD RMS cluster, install Service Pack 1 for Windows Server 2008 R2 and then add Microsoft Federation Gateway Support to each server in the cluster by following the instructions in Adding Microsoft Federation Gateway Support. 5. On one server in the AD RMS cluster, enroll the cluster with the Microsoft Federation Gateway and then enable Microsoft Federation Gateway Support by following the instructions in Enrolling and Enabling Microsoft Federation Gateway Support. Caution Before uninstalling Service Pack 1 for Windows Server 2008 R2, you must remove Microsoft Federation Gateway Support from the Failure to do this may cause an inconsistent configuration of your For more information, see Removing Microsoft Federation Gateway Support. 5
Important considerations for installing AD RMS Microsoft Federation Gateway Support The following is a list of things that should be considered before you install AD RMS with Microsoft Federation Gateway: The AD RMS cluster must be configured to use an SSL-encrypted connection that uses a certificate that the Microsoft Federation Gateway trusts. To prove your ownership of the domain that you want to federate with the Microsoft Federation Gateway, you must own the X.509 SSL certificate for that domain. It must be from one of the trusted root certification authorities (CAs) that are configured in the Microsoft Federation Gateway. The following table lists those CAs. CA certificate friendly name Issued to Intended purposes Entrust (http://go.microsoft.com/fwlink/?linkid=162663) Go Daddy Class 2 Certification Authority (http://go.microsoft.com/fwlink/?linkid=162664) Network Solutions (http://go.microsoft.com/fwlink/?linkid=162665) VeriSign Class 3 Public Primary CA (http://go.microsoft.com/fwlink/?linkid=162667) Entrust.net Secure Server Certification Authority Go Daddy Class 2 Certification Authority Network Solutions Certificate Authority Class 3 Public Primary Certification Authority Server authentication, client authentication, code signing, secure messaging, IP security tunnel termination, Internet Protocol security (IPsec) user, Internet Protocol security (IPsec) Internet Key Exchange (IKE) intermediate, time stamping, file-system encryption Server authentication, client authentication, secure messaging, code signing Server authentication, client authentication, secure messaging, code signing, time stamping Secure messaging, client authentication, code signing, server authentication 6
VeriSign VeriSign Class 3 Public Primary Certification Authority VeriSign Trust Network Secure messaging, client authentication, code signing, server authentication Secure messaging, client authentication, code signing, server authentication VeriSign VeriSign Class 3 Public Primary Certification Authority - G5 Server authentication, client authentication, secure messaging, code signing The SSL certificate that you use to enroll with the Microsoft Federation Gateway must be a certificate that shows ownership of the AD RMS cluster's extranet URL. If the AD RMS cluster is configured with an intranet URL that is different from the extranet URL and if the intranet URL is not a domain name that can be accessed from the Internet, you must install the SSL certificate associated with the extranet URL on this AD RMS server and then select that certificate when enrolling with the Microsoft Federation Gateway. If the SSL certificate contains a subject alternate name (SAN), the last entry in the SAN list must be the fully qualified domain name of the domain you want to enroll with the Microsoft Federation Gateway. To avoid conflicts, you should not enroll your AD RMS cluster with the Microsoft Federation Gateway by using the same URL that has been used to federate another resource with the Microsoft Federation Gateway. Other federated relationships to the Microsoft Federation Gateway can include (but are not limited to) federations to Microsoft Online and Microsoft Exchange Server. If you have already used the URL that your AD RMS cluster uses as its external URL to federate with the Microsoft Federation Gateway for another purpose, you must enroll the AD RMS cluster with the Microsoft Federation Gateway by creating and using a certificate that contains the AD RMS URL as the last entry in the SAN and with a common name (CN) that is not the same as the registered resource. For example, if the DNS name of your AD RMS server is resource.contoso.com, and if that name has already been used by another resource that has been federated to the Microsoft Federation Gateway, you can create a certificate in the following format to avoid federation conflicts: Subject: CN=adrmsservice.contoso.com SAN: DNS Name=adrmsservice.contoso.com DNS Name=resource.contoso.com The virtual directories that are created for use by Microsoft Federation Gateway Support use http://. Because of this, your firewall must be configured to enable http:// data to pass through. Note, however, that the http:// transactions for Microsoft Federation Gateway Support use message-level security. 7
Adding Microsoft Federation Gateway Support Windows Server 2008 R2 with Service Pack 1 (SP1) must be installed on every server in your Active Directory Rights Management Services (AD RMS) cluster before you can add Microsoft Federation Gateway Support to the servers in your cluster. Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. Important Before adding Microsoft Federation Gateway Support, back up the AD RMS configuration database. To add Microsoft Federation Gateway Support 1. Log on to a server in the 2. Open the Active Directory Rights Management Services console and expand the 3. In the console tree, click Trust Policies, and then in the Actions pane, click Add Microsoft Federation Gateway Support. 4. When the Microsoft Federation Gateway wizard appears, click Next. 5. Click Finish. 6. Repeat steps 1-5 on all other servers in the Caution Before uninstalling Service Pack 1 for Windows Server 2008 R2, you must remove Microsoft Federation Gateway Support from the Failure to do this may cause an inconsistent configuration of your For more information, see Removing Microsoft Federation Gateway Support. Checklist: Deploying Microsoft Federation Gateway Support Enrolling and Enabling Microsoft Federation Gateway Support In order to use the Microsoft Federation Gateway, after you add Microsoft Federation Gateway Support, you must enroll your Active Directory Rights Management Services (AD RMS) cluster with the Microsoft Federation Gateway. After this, you must configure and enable Microsoft Federation Gateway Support. The following procedure explains this process. 8
Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To enroll the AD RMS cluster and enable Microsoft Federation Gateway Support 1. Log on to a server in the 2. Open the Active Directory Rights Management Services console and expand the 3. In the console tree, expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the Actions pane, click Configure Microsoft Federation Gateway Support. 5. When the Enroll Cluster with the Microsoft Federation Gateway wizard appears, verify that the SSL certificate is the correct certificate that proves domain ownership for enrolling with the Microsoft Federation Gateway. If it is not, click Browse to select the correct certificate. For information about which certificate to select, see Important considerations for installing AD RMS Microsoft Federation Gateway Support. 6. Click Next, and then click Finish. 7. On all servers in the AD RMS cluster, do the following. a. Open the Active Directory Rights Management Services console and expand the b. In the console tree, expand Trust Policies, and then click Microsoft Federation Gateway Support. c. In the Actions pane, click Grant permissions to token decryption certificate on this server. Note If this link is not present in the Actions pane, the necessary permission has already been granted on this server. 8. Perform the following tasks, as needed: Setting the Microsoft Federation Gateway Support RAC Validity Period Managing Licensing Domains Managing Publishing Domains 9. In the Actions pane, click Enable Microsoft Federation Gateway Support. Deploying and Configuring Microsoft Federation Gateway Support 9
Managing Microsoft Federation Gateway Support After you enroll your Active Directory Rights Management Services (AD RMS) cluster with Microsoft Federation Gateway Support, there is little additional management required, other than what is required to maintain the list of external organizations that can receive licenses from the Also, it may be occasionally necessary to manage the certificates that Microsoft Federation Gateway Support uses. To establish or terminate a trust relationship with an external organization, you manage two lists of domains, the Microsoft Federation Gateway Support licensing and publishing domains. The list of licensing domains consists of the user and domain names owned by external organizations that you want to allow AD RMS to issue licenses to or that you want to prevent from receiving licenses from your The list of publishing domains contains the domain names that you want your AD RMS cluster to issue publishing licenses to. For more information about AD RMS licenses, see Understanding AD RMS certificates. AD RMS Microsoft Federation Gateway Support relies on two certificates to ensure the authenticity of the parties of the federated relationship between AD RMS and the external organizations whose identities are brokered by the Microsoft Federation Gateway. These certificates are the cluster SSL certificate that AD RMS uses as the token decryption certificate, the Microsoft Federation Gateway certificate that verifies the identity of the Microsoft Federation Gateway to the AD RMS cluster, and the rights account certificate (RAC) that AD RMS issues to identify a user who attempts to open rights-protected content. You can update the token decryption certificate (when the cluster SSL certificate is about to expire, for example) and the Microsoft Federation Gateway certificate, and you can change the length of time that AD RMS will recognize RACs that are issued to federated users. Finally, you can control how Microsoft Federation Gateway Support functions by temporarily disabling Microsoft Federation Gateway Support, or you can terminate the federation relationship between the AD RMS cluster and the Microsoft Federation Gateway altogether. This section provides information and instructions to help you with the following management tasks: Managing Licensing Domains Managing Publishing Domains Managing Microsoft Federation Gateway Support Certificates Disabling Microsoft Federation Gateway Support Terminating the Federation Relationship 10
Managing Licensing Domains You can control the federated domains that the Active Directory Rights Management Services (AD RMS) cluster will provide licenses to. You can do this either by specifying the users and domains that can receive licenses, or by specifying the users and domains that will be blocked from receiving licenses. Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure. To allow or block domains for licensing 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in and expand the 3. Expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the results pane, click Manage Microsoft Federation Gateway Support. 5. In the Microsoft Federation Gateway Support dialog box, click the Licensing Domains tab. 6. Do one of the following: Click Allow to specify which users and domains will be permitted receive licenses from the Click Block to specify which users and domains will not be permitted to receive licenses from the 7. To add a user or domain to the list, in the box type the user s e-mail address in the form user@domain.com or domain name in the form domain.com, and then click Add. You can also use an asterisk (*) to specify all users and domains. 8. To remove a user or domain from the list, select the user s e-mail address or the domain, and then click Remove. 9. Click OK. Managing Microsoft Federation Gateway Support Managing Publishing Domains You can control the federated domains that the Active Directory Rights Management Services (AD RMS) cluster will provide publishing licenses to. Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. 11
To allow domains for publishing 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in and expand the 3. Expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the results pane, click Manage Microsoft Federation Gateway Support. 5. In the Microsoft Federation Gateway Support dialog box, click the Publishing Domains tab. 6. To add a domain to the list, in the box type the domain name, and then click Add. You can also use an asterisk (*) to specify all domains. 7. To remove a domain from the list, select the domain, and then click Remove. 8. Click OK. Managing Microsoft Federation Gateway Support Managing Microsoft Federation Gateway Support Certificates The certificates used by Microsoft Federation Gateway Support rarely require management, occasionally circumstances might arise which require you to update a certificate or change how long rights account certificates (RACs) will be recognized. The topics in this section will help you perform these occasional tasks. This section contains the following topics: About Microsoft Federation Gateway Support Certificates Updating the Token Decryption Certificate Updating the Microsoft Federation Gateway Certificate Setting the Microsoft Federation Gateway Support RAC Validity Period About Microsoft Federation Gateway Support Certificates This topic describes the certificates used by Microsoft Federation Gateway Support and briefly explains why you might need to manage them and how to do so. When you add Microsoft Federation Gateway Support to the servers in your Active Directory Rights Management Services (AD RMS) cluster and enroll the cluster with the Microsoft 12
Federation Gateway, two certificates are exchanged between your AD RMS cluster and the Microsoft Federation Gateway: a token decryption certificate and the Microsoft Federation Gateway certificate. The token decryption certificate is an X.509 certificate that the AD RMS cluster uses to establish its identity to the Microsoft Federation Gateway. The Microsoft Federation Gateway uses this certificate when encrypting the security tokens that it sends to your The token decryption certificate is the SSL certificate that you specify when you enroll your AD RMS cluster with the Microsoft Federation Gateway. Typically, the certificate that you specify as the token signing certificate is the SSL certificate that you use to configure the SSL (https://) URL for the If you use different SSL connections for your intranet and extranet URLs, you must use the SSL certificate used to configure the extranet URL. Whenever you change the certificate that you use to configure the external URL of the AD RMS, you must immediately update the Microsoft Federation Gateway Support token decryption certificate. The Microsoft Federation Gateway certificate is the certificate that the AD RMS cluster receives from the Microsoft Federation Gateway when the cluster is enrolled with the Microsoft Federation Gateway. The Microsoft Federation Gateway uses this certificate to sign the tokens that it sends to the Normally, it is not necessary to update this certificate manually unless your Microsoft Federation Gateway cluster is unable to do so automatically. A third type of certificate that affects how Microsoft Federation Gateway Support operates is the rights account certificate (RAC). A standard RAC identifies a user by account credentials in the context of a specific computer or device and has a validity time measured in number of days. The default validity time for a standard RAC is 365 days. Because your organization might have different requirements for RACs issued to internal users and RACs issued to external (federated) users, you can change the default validity time for RACs issued by your AD RMS cluster to users federated through the Microsoft Federation Gateway. Enrolling and Enabling Microsoft Federation Gateway Support Updating the Token Decryption Certificate Updating the Microsoft Federation Gateway Certificate Setting the Microsoft Federation Gateway Support RAC Validity Period Updating the Token Decryption Certificate You can update the token decryption certificate, as needed. Because the token decryption certificate is the SSL certificate for the Active Directory Rights Management Services (AD RMS) cluster, you must update the token decryption certificate if you change the cluster SSL certificate, for example before it is about to expire. After you update the token decryption certificate, you 13
must grant the AD RMS Services group permission to access the certificate on all servers in the Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To update the token decryption certificate 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in and expand the 3. Expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the pane, click Configure Microsoft Federation Gateway settings. 5. In the Enroll Cluster with Microsoft Federation Gateway wizard, click Update Microsoft Federation Gateway Settings, select Update Token Decryption Certificate, and then click Browse. 6. In the Select Certificate dialog box, select the SSL certificate of the AD RMS cluster, and then click Select. For information about which certificate to select, see Important considerations for installing AD RMS Microsoft Federation Gateway Support. 7. Click Next, and then click Finish. 8. On all servers in the AD RMS cluster, do the following. a. Open the Active Directory Rights Management Services console and expand the b. In the console tree, expand Trust Policies, and then click Microsoft Federation Gateway Support. c. In the Actions pane, click Grant permissions to token decryption certificate on this server. Note If this link is not present in the Actions pane, the necessary permission has already been granted on this server. About Microsoft Federation Gateway Support Certificates Managing Microsoft Federation Gateway Support Certificates Enrolling and Enabling Microsoft Federation Gateway Support 14
Updating the Microsoft Federation Gateway Certificate You can update the Microsoft Federation Gateway certificate, as needed. Normally, you do not need to update this certificate unless your Active Directory Rights Management Services (AD RMS) is unable to do so automatically. Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To update the Microsoft Federation Gateway certificate 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in and expand the 3. Expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the pane, click Configure Microsoft Federation Gateway settings. 5. In the Enroll Cluster with Microsoft Federation Gateway wizard, click Update Microsoft Federation Gateway Settings, select Update Microsoft Federation Gateway Certificate, and then click Next. 6. Click Finish. About Microsoft Federation Gateway Support Certificates Managing Microsoft Federation Gateway Support Certificates Enrolling and Enabling Microsoft Federation Gateway Support Setting the Microsoft Federation Gateway Support RAC Validity Period If your organization has different needs for how long rights account certificates (RACs) issued to internal and external (federated) users remain valid, you can configure how long the Microsoft Federation Gateway Support RAC remains valid. Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure. To set the Microsoft Federation Gateway Support RAC validity period 15
1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in and expand the 3. Expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the results pane, click Manage Microsoft Federation Gateway Support. 5. In the Microsoft Federation Gateway Support dialog box, in Microsoft Federation Gateway RAC validity period (days), select or type the number of days you want the RAC to remain valid, and then click OK. About Microsoft Federation Gateway Support Certificates Managing Microsoft Federation Gateway Support Certificates Disabling Microsoft Federation Gateway Support You can disable the Microsoft Federation Gateway Support service on a server, for example if you are preparing to remove Active Directory Rights Management Services (AD RMS) from the server. Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To disable Microsoft Federation Gateway Support 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in console and expand the 3. In the Actions pane, click Disable Microsoft Federation Gateway Support. Managing Microsoft Federation Gateway Support Terminating the Federation Relationship When the Active Directory Rights Management Services (AD RMS) cluster is enrolled with the Microsoft Federation Gateway, you can discontinue the enrollment without disabling Microsoft Federation Gateway Support. You can enroll again with the Microsoft Federation Gateway later. 16
Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To terminate the federation relationship 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in and expand the 3. Expand Trust Policies, and then click Microsoft Federation Gateway Support. 4. In the Actions pane, click Configure Microsoft Federation Gateway settings. 5. In the Enroll Cluster with Microsoft Federation Gateway wizard, click Terminate Federation Relationship, and then verify that the SSL certificate is the correct certificate for enrolling with the Microsoft Federation Gateway. If it is not, click Browse to select the correct certificate. 6. Click Next, and then click Finish. Managing Microsoft Federation Gateway Support Enrolling and Enabling Microsoft Federation Gateway Support Removing Microsoft Federation Gateway Support If you no longer want to use Microsoft Federation Gateway Support in Active Directory Rights Management Services (AD RMS), you can remove Microsoft Federation Gateway Support from your AD RMS cluster Caution Before uninstalling Service Pack 1 for Windows Server 2008 R2, you must remove Microsoft Federation Gateway Support from the Failure to do this may cause an inconsistent configuration of your Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To remove Microsoft Federation Gateway Support 1. Log on to a server in the 2. Open the Active Directory Rights Management Services snap-in console and expand the 3. In the Actions pane, click Configure Microsoft Federation Gateway settings. 4. In the Enroll Cluster with Microsoft Federation Gateway wizard, click Terminate 17
Federation Relationship, and then verify that the SSL certificate is the certificate that was used to enroll with the Microsoft Federation Gateway. If it is not, click Browse to select the correct certificate. 5. Click Next, and then click Finish. 6. In the tree, click Trust Policies, and then in the Action pane, click Remove Microsoft Federation Gateway Support. 7. In the Microsoft Federation Gateway Support wizard, click Next, and then click Finish. 8. Repeat steps 6 and 7 on all other servers in the AD RMS cluster before uninstalling Service Pack 1 for Windows Server 2008 R2 from those servers. Managing Microsoft Federation Gateway Support 18