How Microsoft Rights Management Service RMS works

User will log to this machine, and will contact RMS to get RAC (Right Account Certificate), which identify the user in the RMS system. The RAC contains both a public key and private key and are sent to the client in an encrypted form using the machine public key. RACs are:

o Unique per user per application

o Are needed when CLC and Use licenses are needed

Now we have two scenarios:

· A user is using an RMS enabled application that can issue RMS Publish Licenses: In this case the user will contact RMS and provides his RAC, RMS will issue something called (Client License Certificates CLC).This CLC contains both the internal and external URL of the RMS licensing server that is needed when consuming the document. The application then can use this CLC to issue publishing content without having to contact RMS server each time.

· A user is using RMS enabled application that cannot issue RMS Published Licenses: In this case, CLC is not issued to the user and the user must contact RMS each time a protected document should be created and the RMS server will issue a publish license for each document online.

Now when Publishing License is to be created, it contains the rights applied to the document along with the symmetric key used to encrypt the document .All this is encrypted with the RMS Public Key. This ensures that only the RMS server can decrypt the content and issue use license.

A publishing license is signed by the private key of the issuing server or the private key of the client licensor certificate (in case of offline publishing).Publishing license contains the Internal and External URL of the Licensing server that should be contacted to get use licenses needed to open the document.

Now when other users need to access the protected document, it will use the Internal URL and External URL in the publishing license to contact the RMS licensing server .Only users with trusted RAC and whose names appear on the publishing license, can get use license.

Who can enroll for RAC

any user that :

1.Can discover the RMS server

2.Provide user with (mailbox or Email attribute)

How users can discover RMS servers

1.Domain joined machines with AD connectivity will use SCP on AD

2.Registry Overrides

3.If the user consume protected document ,then the publishing license will have external and internal URLs of the RMS server.

Who can Publish Protected content ?

Any user with valid Trusted RAC -CLC either he has RMS connectivity or not and either he can discover RMS servers or not , since he can publish the document offline ( in case the RMS application support offline publishing)

Who can consume the content ?

If any user gets RMS content , then that content will have the Published License .The  publish license contains the internal and the external URLs for the RMS licensing server.

If the user then can provide valid account ( with mailbox or email attribute) ,then the user will enroll RAC if he don’t have one till the moment and will get access to the document .If the user already has valid RAC or trusted RAC from Microsoft .NET services, then the RMS will issue use license immediately.

Example :

Home machine , never joined to the domain and only has Internet access.A Company user logs on the machine , opens RMS email .The RMS Email will have published license that points to the RMS server , the user will be prompted for username and password from the company published RMS services , and will be enrolled RAC and will be issued Use License for that email.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s