By default AD Rights Management cluster certificate pipeline ACL is configured to allow only local system account. All the web front end servers in your SharePoint farm must be granted read and execute permission. In addition IIS application pool account and Server Farm account also need read and execute permission assigned
Logon to RMS server
Navigate to C:\Inetpub\wwwrot\_wmcs\Certification.
Right-click ServerCertification.asmx, click Properties, and then click the Security tab.
Click Advanced, click Edit, select the Include inheritable permissions from this object’s parent check box, and then click OK twice.
Click Object Types, select the Computers check box, and then click OK.
Add the web front end server and assign read/execute and read permissions
Repeat the above steps for all web front ends in your farm, server farm account and application pool account.
From the command prompt run “iisreset /noforce”
You are now ready to integrate MOSS with AD RMS
PingBack from http://microsoft-sharepoint.simplynetdev.com/sharepoint-considerations-when-configuring-ad-rights-management-cluster/