Activating a User Programatically with AD RMS
Before a user can encrypt or decrypt content, the user's Active Directory account must be signed into the Active Directory Rights Management Services (AD RMS) Pre-production or Production certificate hierarchy. This process, called activating a user account, returns a certificate chain. The root of the chain is a Microsoft certification authority (CA) certificate, and the chain ends with a signed rights account certificate (RAC) that uniquely identifies the account. You can use the DRMActivate function to activate a user. This is an asynchronous function that returns immediately to your application while processing the activation request on another thread. It delivers the result to a callback function that you must create. Before you can activate a user account, you must activate the computer that the user has logged onto and retrieve a machine certificate.
Rights Account Certificates
An Active Directory Rights Management Services (AD RMS) rights account certificate (RAC) identifies a user account by signing it into the Pre-production or Production certificate hierarchy. Each RAC is tied to the machine certificate of the computer on which the user is activated. A RAC and a machine certificate must exist before an end-user license can be created and content encrypted or decrypted. A user can have more than one RAC on a computer, one for each AD RMS service against which the user is activated, but the user cannot transfer a RAC between computers. For more information, see Activate a User Account. A RAC can contain the following elements: The issuance date and time:
- The period over which the certificate is valid.
- A certificate type ID and name.
- The name and ID of the issuer.
- The location from which the certificate was retrieved.
- The principal ID, public key, digest and security processor.
- The Active Directory Federated Service (ADFS) principals.
- A signature created by using the private key of the AD RMS activation service.
- A certificate chain that contains one or more server licensor certificates and one or more CA certificates.
The following sample shows the basic XrML structure of the certificate. - <XrML version="1.2">
* - <BODY type="LICENSE" version="3.0">
+ <ISSUEDTIME>
+ <VALIDITYTIME>
+ <DESCRIPTOR>
+ <ISSUER>
+ <DISTRIBUTIONPOINT>
+ <ISSUEDPRINCIPALS>
+ <FEDERATIONPRINCIPALS>
</BODY>
- <SIGNATURE>
+ <DIGEST>
<ALGORITHM />
<VALUE />
</SIGNATURE>
</XrML> + <XrML version "1.2"> <!-- server licensor certificate -->
- <XrML version "1.2"> <!-- server licensor certificate -->
- <XrML version "1.2"> <!-- DRM-CA-Certificate -->
- <XrML version "1.2"> <!-- DRM-CA-Certificate --> *
Rights Account Certificate Store
Version Certificate location
AD RMS on Windows Vista and Windows Server 2008 using the client lockbox - %USERPROFILE%\AppData\Local\Microsoft\DRM
RMS client 1.0 SP2 using the client lockbox - %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM
Rights Account Certificate XML Example
The following example shows an XrML rights account certificate (RAC) chain. The RAC was issued to the user account someone@example.com. The name of the AD RMS server that issued the RAC was EXAMPLESRV2008. To see an actual RAC, activate the user, navigate to the appropriate Rights Account Certificate Store, and open the certificate file. The file name format for a RAC in the Pre-production hierarchy is GIC-user account-user ID GUID.drm. For example, the following RAC was saved in the file named <GIC-someone@example.com-%7Bf39c5f0b;kb861;k460c;k8a21;kb8a0b9a9c568%7D.drm>
*- <XrML version="1.2">
- <BODY type="LICENSE" version="3.0">
<ISSUEDTIME>2008-03-17T16:04</ISSUEDTIME>
- <VALIDITYTIME>
<FROM>2008-03-16T16:04</FROM>
<UNTIL>2009-03-17T16:04</UNTIL>
</VALIDITYTIME>
- <DESCRIPTOR>
- <OBJECT type="Group-Identity-Credential">
<ID type="MS-GUID">
{f39c5f0b-b861-460c-8a21-b8a0b9a9c568}
</ID>
</OBJECT>
</DESCRIPTOR>
- <ISSUER>
- <OBJECT type="MS-DRM-Server">
<ID type="MS-GUID">
{e03ee46f-e62a-48d7-81f0-2d8d5d522c9d}
</ID>
<NAME>EXAMPLESRV2008</NAME>
<ADDRESS type="URL">HTTP://example.com:80/_wmcs</ADDRESS>
</OBJECT>
- <PUBLICKEY>
<ALGORITHM>RSA</ALGORITHM>
- <PARAMETER name="public-exponent">
<VALUE encoding="integer32">65537</VALUE>
</PARAMETER>
- <PARAMETER name="modulus">
<VALUE encoding="base64" size="1024">
1fn3bqaD3kdFtl+uo1mc/PKPNZyIjJ+KN+EACM72bSZwswcUTc8u75H
0rllk9bgonpFTt9MCdfl7f+NC2OuWv2rC9nuBKt6CN/wMEVpF+ByjkU
zMTA1Ktu/ziS4BJ9L7t1bUWEqa3nWb1B6MV/M+jeNgjiRMpGi+vzn3s
D/d8Oo=
</VALUE>
</PARAMETER>
</PUBLICKEY>
<SECURITYLEVEL name="Server-Version" value="6.0.0.0" />
<SECURITYLEVEL name="Server-SKU" value="RMS 2.0" />
</ISSUER>
- <DISTRIBUTIONPOINT>
- <OBJECT type="Activation">
<ID type="MS-GUID">
{8BA9EA80-99E4-4a2b-9764-4CD84F77C3A0}
</ID>
<NAME>Microsoft Identity Certification Server</NAME>
<ADDRESS type="URL">
http://example.com/_wmcs/certification
</ADDRESS>
</OBJECT>
</DISTRIBUTIONPOINT>
- <ISSUEDPRINCIPALS>
- <PRINCIPAL internal-id="1">
- <OBJECT type="Group-Identity">
<ID type="Windows">
S-1-5-21-1226287486-3652005974-3671177567-1114
</ID>
<NAME>someone@example.com</NAME>
</OBJECT>
- <PUBLICKEY>
<ALGORITHM>RSA</ALGORITHM>
- <PARAMETER name="public-exponent">
<VALUE encoding="integer32">65537</VALUE>
</PARAMETER>
- <PARAMETER name="modulus">
<VALUE encoding="base64" size="1024">
raMBBHBY7UbNE0bHh1Mc2G2LjBQfI/x/scBACTAm6Y12K+xQlve3p
NlcnFcuPrfguSpNrXq3bdk+zdONH92zzxSlwqvVXqubwNinLESusH
snpcVPGkPLV3PqxZ/JHOiEWKoLPkigNHGfatrBbnofCqRQhiG6it7
FbHvNMRAgxbE=
</VALUE>
</PARAMETER>
</PUBLICKEY>
<SECURITYLEVEL
name="Group-Identity-Credential-Type"
value="Persistent" />
<SECURITYLEVEL
name="Group-Identity-Policy"
value="Group-Identity-Credential" />
<SECURITYLEVEL
name="Group-Identity-Type"
value="Group" />
</PRINCIPAL>
- </ISSUEDPRINCIPALS>
- <FEDERATIONPRINCIPALS>
- <PRINCIPAL>
- <OBJECT type="Machine-Unique-Identifier">
<ID type="MS-GUID">
{8a0acfdb-b60f-49bd-a781-f6b41e876219}
</ID>
<NAME>Machine</NAME>
</OBJECT>
- <ENABLINGBITS type="sealed-key">
<VALUE encoding="base64" size="6144">
ox7jiE7iXtnP5Q4p/ZPfh4VAP5sFh/wI+8XsK94+KBO8yfwytsNCoUP
JU3twWHoBNTIdbVCvSFFmhp+Uw71rHCB22Ud3ZUaV81a5ZjbsyFltiu
FFUOeqOKUGXQwKHrVcb6Yi2rEOmimKoBr1S/SP99g5D3xEZjxslFI8q
F3PblXdysVm8alF+KiLkWLO0B+doTd+7OnL48H1xQZnUFLVy2uBp+s5
JJDLd1+38Oj/qjl992EhHZMvle567g+vRLQ4pabIrtZnIw/hAa0yBWP
FlRNJ6v0qsj1FeM4mRiKYvGazyVDEYX+Js1sc1RUY4XNLo7tPlBt/4q
JHHhuGhX2jltXRKTQprlofb/ZnTfme+rBNKX5Rzd3+fjp0dFjdllfMG
Z5J+Z6PSwAAs9ojlner6j2kv88yHx700ZaTdCxhKPEVL9IyNPjFUHo/
b+499DIPu7tp2E3DlEEusnsnwZqIehpt8tghLzfUMM2YJe3T1poKVF0
SWjVfr2OKRZ3qQPdI+/3/cQzaGirgvRDuifJGduzLqZ2uABKwqYv2zP
ELKOKPuDWqckhgj83n/EYtyM/beCz0ZmEGHdAEmXFHr701t7heGI9aQ
jUwNjWmpwMUKTgKGfA0dNq4cJk1p/VO1+b2TS3yAC2jtwA5ZaejrQ8g
2H/S2D82ht8A9tGUjDfoqn4T2RN1laLXGwbzAto31I4kUWpcziakJ+/
XNBH4F961d6177Sie1IkGiLGnMSM3nmpdQPjad/z8YS3fPcE+LkbaP8
vmXZl4GY6nNSvkvTT/nxhFfn/Fm17HFvjovBhSB6NOFzkSiuXDcPXlU
X/BTGZk0p8j4yXQNtO9b3H+OtGEuwqnD8S69tIrpH+jpl/VCFXFKp3M
rcVUZfjhBGfZHapCul5dZfir32dU6bkTD/FmSbSVClr5rO7/sZ/Wlvl
lv4mw/gg642EnvzURDMFFZb+XYALFGdvMt3kZevK4o5hCE0yEP2PtAb
fWv1jpseo3nNRC/mMsv8nXgcdW1MKbuKEH
</VALUE>
</ENABLINGBITS>
<SECURITYLEVEL
name="Manufacturer"
value=
"Microsoft Corporation mcoregen DLL 6.0.5840.16389 (RMS
Client v2.0 Desktop Security Processor)" />
<SECURITYLEVEL
name="Platform"
value="2.6.0.6000" />
<SECURITYLEVE
name="Repository"
value=
"Microsoft Corporation Windows RMS Client v2.0 secure
repository 6.0.5840.16389" />
</PRINCIPAL>
</FEDERATIONPRINCIPALS>
</BODY>
- <SIGNATURE>
<DIGEST>
<ALGORITHM>SHA1</ALGORITHM>
- <PARAMETER name="codingtype">
<VALUE encoding="string">surface-coding</VALUE>
</PARAMETER>
<VALUE encoding="base64" size="160">
Xc+84uqrehgkwjwHGAedTv7UeK0=
</VALUE>
</DIGEST>
- <ALGORITHM>RSA PKCS#1-V1.5</ALGORITHM>
<VALUE encoding="base64" size="1024">
SaZvQJOL9D478f5sxLq3Jdn5ZB11oHvfKr8xa3oPI5xwmFnnsol+rTJKWYP
K0lyfRhpqobgQmqtx9HaVGp/kK5HcPoMFVp8RRnbKogZDZVX3lKMq+vJeJb
RIassz6TZQICTBcf0QL/ba3qVNYGP3kl3LyRAK/DaHsD1w5XXAfmk=
</VALUE>
</SIGNATURE>
</XrML>
.
.
.
- <XrML version="1.2">
- <XrML version="1.2">*