AD RMS Certificates and Licenses

                                   AD RMS Certificates and Licenses

The AD RMS components use certificates and licenses to establish identity and allow clients to work with protected content. The following list shows certificates and licenses that AD RMS uses:

• Server Licensor Certificate: This is the certificate created when the AD RMS Server Cluster is initially created. This certificate signs all of the licenses and certificates granted by the cluster. It contains the public key of the server and can be exported to establish a trust with other AD RMS cluster.

• Machine certificate: On each client computer, the first time an AD RMS-enabled application is used, a machine certificate is created. The machine certificate contains the public key of the client computer.

• Rights Account Certificate: When a user first attempts to consume protected content, the AD RMSclient obtains a rights account certificate (RAC) from the AD RMS cluster. By default, a standard RAC is valid for 365 days.

• Client licensor certificate: The client licensor certificate (CLC) is obtained by the client computer while it is connected to the corporate network where the AD RMS cluster resides. It gives the user the right to publish protected content when not connected to the corporate network.

• Publishing license: When an AD RMS client saves rights-protected content, a publishing license is created. The license contains the authorized users that can view the content, the conditions attached to the content (for example, requiring a connection to verify a user’s permission upon opening), and the actual rights that the authorized users have to the content (Read only or ability to print are some examples).

• Used license: The used license contains the rights that apply to the protected content. The license relies on the RAC being present. If the RAC is not present, the used license does not open the protected content.

How AD-RMS works

This is always a pin point for IT Administrators; how this AD-RMS works? So, Here I am going to explain the work-flow of AD-RMS.

1. When the author initially protects content, the AD RMS cluster issues a RAC and a client licensor certificate (CLC). This establishes the author’s AD RMS credentials. The author can now publish secure information offline.

2. The author creates a file and specifies usage rights and conditions by using an AD RMS–enabled application. A publishing license that contains the usage policies is generated. The publishing license is tied to the protected file.

3. The application encrypts the file with a symmetric key, which is encrypted by the public key of the ADRMS cluster. The key is inserted into the publishing license and the publishing license is bound to the file.

4. The author distributes the file. Some distribution methods are email, SharePoint document libraries, and file servers.

5. A recipient obtains the protected file and opens it by using an AD RMS–enabled application. If the recipient does not have a RAC on the current computer, a RAC is issued from the AD RMS cluster.

6. The application requests a used license. This request is sent to the AD RMS cluster that issued the publishing license for the secured information.

7. The AD RMS cluster confirms that the recipient is authorized, checks that the recipient is a named user, and creates a used license. The server decrypts the symmetric key by using the private key of the server, re-encrypts the symmetric key by using the public key of the recipient, and then adds the encrypted symmetric key to the used license. The used license also includes the content expiration (if applicable).

8. After the confirmation is complete, the licensing server returns the used license to the recipient’s client computer. Deploying and Configuring Active Directory Rights Management Services 6-9

9. After receiving the used license, the application verifies the license and the account certificate of the recipient. This helps determine whether any certificate, in either chain of trust, requires a revocation list. If required, the application checks for a local copy of the revocation list that has not expired. If required, it retrieves a current copy of the revocation list. The application then applies any relevant revocation conditions in the current context. If the revocation conditions allow access to the file, the application renders the data. Users can then apply their granted rights.