Using Windows Live ID to Establish RACs for Users

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Microsoft provides an account certification service that uses Windows Live ID to establish the rights account certificate (RAC) for the user. If you want users with RACs from that service to be able to obtain use licenses from an Active Directory Rights Management Services (AD RMS) cluster, you need to set up a trusted user domain that accepts user credentials from Microsoft’s online RMS service.

Important

To use this feature, you must configure Internet Information Services (IIS) to allow access to the AD RMS licensing service, for example, by allowing anonymous access. This step is essential because the licensing service is configured to use Windows Integrated authentication by default. If IIS is not configured to allow access to the AD RMS licensing service, users with Windows Live ID-based RACs will not be able to acquire licenses.

If necessary, after support for Windows Live ID is configured, you can exclude users of this service based on their e-mail address domains.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To trust Windows Live ID-based rights account certificates

  • At the Windows PowerShell command prompt, type:

    Import-RmsTUD -Path <drive>:\TrustPolicy\TrustedUserDomain -WindowsLiveId

    where <drive> is the name of the Windows PowerShell drive.

To specify Windows Live ID e-mail domains to exclude

  1. At the Windows PowerShell command prompt, type:

    Get-ChildItem -Path <drive>:\TrustPolicy\TrustedUserDomain

    where <drive> is the name of the Windows PowerShell drive. Note the ID of the Windows Live ID TUD you want to modify.

  2. To specify which e-mail domains within the trusted user domain are trusted, at the Windows PowerShell command prompt, do one of the following:

    • If Service Pack 1 (SP1) for Windows Server® 2008 R2 is not installed, type:

      Set-ItemProperty -Path <drive>:\TrustPolicy\TrustedUserDomain\<TUD_ID> -Name ExcludedWindowsLiveID -Value <domain>[,<domain>…]

      where <drive> is the name of the Windows PowerShell drive, <TUD_ID> is the ID of the TUD you found in the previous step, and <domain> is the e-mail domain you want to exclude. You can specify more than one domain as a comma-separated list.

      For example, for a Windows PowerShell drive named Z, to configure the Windows Live ID TUD with the ID of 101 to exclude the e-mail domains fabrikam.com and fabrikam.net, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path Z:\TrustPolicy\TrustedUserDomain\101 -Name ExcludedWindowsLiveID -Value fabrikam.com, fabrikam.net

    • If SP1 for Windows Server 2008 R2 is installed, type:

      Set-ItemProperty -Path <drive>:\TrustPolicy\TrustedUserDomain\<TUD_ID> -Name WindowsLiveIDFilteringMode –Value {Allow|Block

      Set-ItemProperty -Path <drive>:\TrustPolicy\TrustedUserDomain\<TUD_ID> -Name WindowsLiveIdFilterList -Value <domain>[,<domain>…]

      where <drive> is the name of the Windows PowerShell drive, <TUD_ID> is the ID of the TUD you found in the previous step, and <domain> is the e-mail domain you want to allow or block. You can specify more than one domain as a comma-separated list.

      For example, for a Windows PowerShell drive named Z, to configure the Windows Live ID TUD with the ID of 101 to exclude the e-mail domains fabrikam.com and fabrikam.net, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path Z:\TrustPolicy\TrustedUserDomain\101 -Name WindowsLiveIDFilteringMOde -Value Block

      Set-ItemProperty -Path Z:\TrustPolicy\TrustedUserDomain\101 -Name WindowsLiveIDFilterlist -Value fabrikam.com, fabrikam.net

      You can also configure the Windows Live ID TUD to allow only specified domains. For example, for a Windows PowerShell drive named Z, to configure the Windows Live ID TUD with the ID of 101 to allow only the e-mail domains fabrikam.com and fabrikam.net, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path Z:\TrustPolicy\TrustedUserDomain\101 -Name WindowsLiveIDFilteringMOde -Value Allow

      Set-ItemProperty -Path Z:\TrustPolicy\TrustedUserDomain\101 -Name WindowsLiveIDFilterlist -Value fabrikam.com, fabrikam.net

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
AD RMS Administration Cmdlets
Establishing Trust Policies

Other Resources

Understanding AD RMS Trust Policies