Activating a User
[The AD RMS SDK leveraging functionality exposed by the client in Msdrm.dll is available for use in Windows Server 2008, Windows Vista, Windows Server 2008 R2, Windows 7, Windows Server 2012, and Windows 8. It may be altered or unavailable in subsequent versions. Instead, use Active Directory Rights Management Services SDK 2.0, which leverages functionality exposed by the client in Msipc.dll.]
Before a user can encrypt or decrypt content, the user's Active Directory account must be signed into the Active Directory Rights Management Services (AD RMS) Pre-production or Production certificate hierarchy. This process, called activating a user account, returns a certificate chain. The root of the chain is a Microsoft certification authority (CA) certificate, and the chain ends with a signed rights account certificate (RAC) that uniquely identifies the account. You can use the DRMActivate function to activate a user. This is an asynchronous function that returns immediately to your application while processing the activation request on another thread. It delivers the result to a callback function that you must create. For more information, see Creating a Callback Function.
Before you can activate a user account, you must activate the computer that the user has logged onto and retrieve a machine certificate. For more information, see Activating a Computer. Because the private key associated with the RAC is encrypted by using the public key in the machine certificate, the RAC cannot be used on another activated computer.
The following topics discuss user activation and rights account certificates in more detail.
|Rights Account Certificates||Discusses the general XrML contents of a rights account certificate.|
|Rights Account Certificate Store||Lists the certificate stores by operating system and AD RMS version.|
|Rights Account Certificate XML Example||Contains a complete XrML certificate example.|
|Rights Account Certificate Code Example||Contains a C++ example that activates a user account.|