About Active Directory Rights Management Services
The following scenario provides a broad overview of how Active Directory Rights Management Services (AD RMS) is typically used to both publish and consume content.
- A person with content they want to control creates a license on their computer that specifies who can use that content (Bob down the hallway only, the marketing department only, anyone in the company, anyone in the world), when and for how long they may use it, how they may use it (printing, viewing, forwarding), and under what conditions (such as a minimum allowed application version) they may use it. This license is called an issuance license.
- The license creator then sends this issuance license to an AD RMS service to get it signed. This service may be within the issuer's company LAN, or externally on the Internet. The creator also sends an encryption key that will be used to encrypt the content (the content has not been encrypted yet). If the user is going to encrypt the content themselves, they can encrypt the content here (or later); if they are going to use the AD RMS encryption function DRMEncrypt to encrypt the content, they can throw away the content key after they request a signed issuance license using the DRMGetSignedIssuanceLicense function.
- The license creator (or anyone else) then distributes the signed issuance license and the encrypted content to anyone they want. The issuance license must be in exactly the format and location that the consuming application is able to process, or it will not be able to find the issuance license.
- A content receiver sends the signed issuance license in a request to an AD RMS service (which can be any service the license creator specified). If this person is directly specified as an eligible content user (or is a member of a specified group of eligible users) the person will receive an end-user license.
- A content receiver then uses an AD RMS-enabled application to bind to the license and decrypt the content. If the person is not a permitted user, or if any of the time or other conditions are not fulfilled, the person will not be able to decrypt the content. The application then allows the user to perform only the rights (print, forward within the company, play) that the license specifies.
The AD RMS SDK is used to produce both publishing and consuming applications. These are introduced in the following sections. Note that the two types can be incorporated into one application.
Publishing Applications
Using the AD RMS client API, a publishing application identifies users who may access digital assets, and specifies the rights to these assets that qualified users will be granted. The rights data is converted into an XrML license through interaction with the AD RMS service.
The components of an application designed to publish content protected by AD RMS include the following:
- Document-creation program (does not necessarily have to use AD RMS functions)
- License store to handle the necessary licenses
- AD RMS client API to specify issuance license conditions
- Microsoft CryptoAPI or other cryptography used to create the symmetric key (content key). This component is optional.
- The lockbox. For more information, see Lockboxes and Machine Activation.
Consuming Applications
The components of an application designed to use content licensed by AD RMS include the following:
- Document-consuming program (must include the AD RMS functions)
- License store to handle the necessary licenses
- AD RMS client API
- The lockbox. For more information, see Lockboxes and Machine Activation.
Publishing applications and user/consumer applications interact with the AD RMS service through the AD RMS client API.
The fundamental architectural features of rights management applications are described in the following sections.
| Section | Description |
|---|---|
| Lockboxes | Describes the lockbox. |
| User Identity | Describes how a user's identity is ensured by AD RMS. |
| Certificate Hierarchies | Describes the chain of trust that validates licenses, certificates, users, and computers. |
| Server Self-Enrollment | Describes how you can enroll a server in the certificate hierarchy without sending information to Microsoft. |
| Activation | Explains how devices and users are activated for use by AD RMS. |
| Service Discovery | Describes service discovery methods used to find activation servers. |
| Content Preparation | Describes how content must be prepared for licensing. |
| Licenses and Certificates | An overview of licenses and certificates in AD RMS. |
| License Management | Describes license storage and management by applications. |
| End-User License Acquisition | Describes the basic license acquisition scenarios used by AD RMS. |
| Interpreting XrML Rights | Describes an application's responsibilities versus AD RMS responsibilities when interpreting XrML rights. |
| Exercising Rights | Describes how to exercise the rights specified in a license. |
| Revocation | Describes how to revoke access to content already granted. |
| Exclusion | Describes how to prevent a compromised rights account certificate, lockbox, or unwanted operating system or application version from acquiring more licenses. |
See Also
Using Active Directory Rights Management Services
Send comments about this topic to Microsoft
Build date: 3/13/2008