Microsoft KB Archive/830694

= You Cannot Create a Trusted Publishing Domain =

Article ID: 830694

Article Last Modified on 11/3/2003

-

APPLIES TO


 * Microsoft Windows Rights Management Services (RMS) for Windows Server 2003

-



SYMPTOMS
When you try to create a trusted publishing domain, you cannot transfer a private key from the hardware security module (HSM) that exists on one server to the HSM that exists on another server. Therefore, you cannot create the trusted publishing domain.



CAUSE
The cause of this problem depends on the types of the HSMs and the configuration of the associated HSM devices.



RESOLUTION
To resolve this problem, follow these steps:
 * 1) To help secure the RMS private key for a server, reconfigure Microsoft Windows Rights Management Services (RMS) to use the default, software-based private key protection method.
 * 2) From this server, export the RMS private key to a file.
 * 3) From another server, import the RMS private key from the file that you exported the key to in the previous step.



STATUS
This behavior is by design.



MORE INFORMATION
To create a trusted publishing domain, each server (for example, server A) must be able to decrypt content that is published by the other server (for example, server B). To decrypt content that is published by server B, server A must have access to the private key on server B.

If a server stores a private key in an HSM, you must transfer this private key to the HSM that exists on the other server. To perform this transfer, follow the instructions in the HSM documentation.

Note If you use an HSM to help protect your RMS private key, before you import a server licensor certificate from an RMS installation that uses software-based private key protection, you must specify a private key password on the Security settings page of your server.

Keywords: kbtrusts kbcrypt kbsecurity kbprb kbdomain KB830694

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.