An Active Directory Rights Management Services (AD RMS) rights account certificate (RAC) identifies a user account by signing it into the Pre-production or Production certificate hierarchy. Each RAC is tied to the machine certificate of the computer on which the user is activated. A RAC and a machine certificate must exist before an end-user license can be created and content encrypted or decrypted. A user can have more than one RAC on a computer, one for each AD RMS service against which the user is activated, but the user cannot transfer a RAC between computers. For more information, see Activate a User Account. A RAC can contain the following elements:
- The issuance date and time.
- The period over which the certificate is valid.
- A certificate type ID and name.
- The name and ID of the issuer.
- The location from which the certificate was retrieved.
- The principal ID, public key, digest and security processor.
- The Active Directory Federated Service (ADFS) principals.
- A signature created by using the private key of the AD RMS activation service.
- A certificate chain that contains one or more server licensor certificates and one or more CA certificates.
The following diagram shows the basic XrML structure of the certificate. For a more complete example, see Rights Account Certificate XML Example.
- <XrML xmlns="" version="1.2">
- <BODY type="LICENSE" version="3.0">
+ <ISSUEDTIME>
+ <VALIDITYTIME>
+ <DESCRIPTOR>
+ <ISSUER>
+ <DISTRIBUTIONPOINT>
+ <ISSUEDPRINCIPALS>
+ <FEDERATIONPRINCIPALS>
</BODY>
- <SIGNATURE>
+ <DIGEST>
<ALGORITHM />
<VALUE />
</SIGNATURE>
</XrML>
+ <XrML xmlns="" version "1.2"> <!-- server licensor certificate -->
+ <XrML xmlns="" version "1.2"> <!-- server licensor certificate -->
+ <XrML xmlns="" version "1.2"> <!-- DRM-CA-Certificate -->
+ <XrML xmlns="" version "1.2"> <!-- DRM-CA-Certificate -->
See Also
- Activating a User
- Rights Account Certificate XML Example
- Rights Account Certificate Store
Send comments about this topic to Microsoft
Build date: 6/25/2009