Share via

User Identity

  • Article

A user is identified on a machine by their rights account certificate, the leaf certificate in a signed certificate chain leading back to the root of trust. Currently supported identifiers include a Windows Security ID (SID) and a Passport User ID (PUID). These identifiers take the form of "someone@example.com".

A rights account certificate holds a public/private key pair assigned to the user by a Active Directory Rights Management Services (AD RMS) service. The private key in the rights account certificate is encrypted by the public key in the machine certificate. The public key in the rights account certificate is used by the AD RMS server to encrypt the content key in an end-user license.

When a service issues a rights account certificate, the service keeps a copy of the key pair. This way, if a user acquires a rights account certificate on another machine, the new rights account certificate will contain their old key pair, allowing them to the retain end-user licenses and issuance licenses they already have. This also allows users to share content encrypted to the same end-user license across multiple computers.

A user can have more than one rights account certificate. You may have to enumerate these rights account certificates to find the correct one to use when binding to a license. To determine whether the rights account certificate is the correct one, use the license querying functions to find the issuer of the root license to determine whether it is in the correct chain (Pre-production or Production).

You can also check for whether the issuer of the leaf certificate matches the issuer of an issuance license or end-user license. However, this may not work because, if a trust agreement exists between issuers, a license can still be used by a rights account certificate, even if the issuers are not the same. The best practice, generally, is to attempt to bind and to handle a failure.

A certification service can also issue temporary rights account certificates. These are valid rights account certificates that have a short validity time. They allow a user to exceed their quota of rights account certificates, or to get a rights account certificate issued for a shared computer. The validity time is set by the service administrator. The default validity time is fifteen minutes.

Note  User identity is also known as federation identity. Federation still appears in XrML licenses defined by an independent consortium.

See Also

Certificate Hierarchies
About Active Directory Rights Management Services
Rights Account Certificates
Service Discovery
User Activation

Send comments about this topic to Microsoft

Build date: 3/13/2008