Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. AD RMS issues federated rights account certificates for internal AD FS 2.0 users

AD RMS issues federated rights account certificates for internal AD FS 2.0 users

Symptoms

Because of changes that were made between Active Directory Federation Services (AD FS) version 1.0 and AD FS 2.0, internal users within organizations that deploy AD FS and AD RMS will experience changes in how rights account certificates (RACs) are issued. For users of AD FS 1.0 and AD RMS, when an internal user provides a HomeRealm URI it will always get a standard-type RAC derived from their enterprise Active Directory deployment. For users of AD FS 2.0 and AD RMS, a temporary RAC will instead be issued that is generated by way of federated trust.

This change can be an issue in limited circumstances where a user receives a RAC by way of AD FS 2.0 because their computer if their computer was previously configured for AD FS. If this contdition exists, then prelicensing for AD RMS will be broken for that user.

↑ Back to the top

Cause

This change occurs because AD FS 2.0 removes support for SAML advice elements (<saml:Advice>) which were previously used for identifying users as authenticated via Active Directory. The reason this change was made was to simplify and secure code and test paths for AD FS 2.0 and because AD FS was not intended to focus on supporting licensing needs for internal users. In researching current customer suage, Microsoft did not locate any usage cases where the aforementioned symptoms should cause a problenm unless the following conditions both happen to be true:

* The end user is unable to connect to the intended certification pipeline.
* The end user has an AD FS registry key that was previously configured explicitly on the local computer.

↑ Back to the top

Resolution

To correct and restore pre-licensing for AD RMS in this situation, the end user will need to do the following:
* Manually delete the existing RAC on their computer that is tied to using SAML advice hints which is no longer supported in AD FS 2.0.
* Resubmit a new RAC request and reinstall the RAC on their computer.

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2658870
Revision : 1
Created on : 1/7/2017
Published on : 8/16/2012
Exists online : False
Views : 79