RMS Account Certification

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The account certification process creates a rights account certificate, which associates a user account with a specific computer and allows the user to consume rights-protected content from that computer. The first time that a user publishes rights-protected content or attempts to consume rights-protected content from a client computer, the RMS-enabled application sends a request for a rights account certificate to the RMS account certification service.

The certification service can authenticate the user by using either Windows authentication or an x.509 certificate that is stored in a hardware encryption device such as a smart card. Once the user is authenticated, the RMS root cluster creates a rights account certificate for the user that is based on their authenticated credentials. It encrypts the user's private key with the public key of the client computer's RMS machine certificate, and includes the encrypted key in the rights account certificate. It then issues the rights account certificate to the requesting application, which stores the rights account certificate on the computer or device so that it is available for subsequent publishing or use license requests. The rights account certificate is also stored in the configuration database.

Account certification follows the machine activation process because the RMS machine certificate of the client computer is required to request the rights account certificate.

Users must acquire a rights account certificate for each computer that they use. If a user works at more than one computer, a unique rights account certificate is issued for each computer, but all of the computers contain the same key pair for that user.

When an RMS-enabled application requests a use license, it includes the rights account certificate in the request. The licensing service uses the public key of the rights account certificate to encrypt the content key; this ensures that only the authenticated user can use the use license.

The account certification process involves the following steps:

1. The first time that a user publishes rights-protected content or tries to consume rights-protected content on a given computer, the RMS-enabled application sends a request for a rights account certificate to the account certification service that is running on the root cluster.

2. The account certification service authenticates the user by using Windows authentication.

3. The account certification service creates a rights account certificate for the user that is based on their authenticated credentials. It encrypts the user's private key with the RMS machine certificate's public key, and includes the encrypted key in the certificate. It then issues the rights account certificate to the requesting application.

4. The application stores the rights account certificate on the computer or device, so that it is available for subsequent publishing or use license requests.

The account certification service that the client uses to request the RAC depends on the type of computer the RMS client is installed on. Standard desktop computers connect to the account certification service (certification.asmx). Server services that have been enabled for use with RMS with SP1 or later receive RACs from the server certification service (ServerCertification.asmx). Only the account certification service is enabled in a default installation of RMS with SP1 or later.

For more information about using RMS with SP1 or later with server services, see "Enabling RMS Server Support for Server Services" in the "RMS: Operations" section of this document collection.