End-User License Acquisition
End-user licenses allow a permitted user to access protected content. An end-user license is acquired by using a signed issuance license that is created by the content publisher. Typically, protected content comes packaged with a signed issuance license (perhaps in a single file). The consumer submits this issuance license to an online licensing service to get an end-user license for the content. The application and publisher are responsible for storing issuance licenses; Active Directory Rights Management Services (AD RMS) does not handle storage of issuance licenses. An end-user license, however, can be stored either by the application (typically bound into the protected file in clear text), or stored by the AD RMS client in its license store, which is a permanent disk storage location maintained for each user. For more information about license storage, see License Management.
The AD RMS client API also supports the preacquisition, or delegated acquisition, of end-user licenses. Preacquisition is when a proxy, such as an e-mail program, gets an end-user license for a set of end-users, and AD RMS generates a rights account certificate key pair for any end-users who do not already have a rights account certificate key. This is done by calling the AcquirePreLicense SOAP method. The AcquirePreLicense method uses a Windows identity, such as a fully-qualified Windows e-mail address or a security identifier (SID), to generate the rights account certificate key pair (if the user does not already have one). This differs from regular licensing, which specifies identities by rights account certificate. Additionally, the AcquirePreLicense method acquires a license that will work on the end-user's machine as soon as the end-user completes the certification step and gets the rights account certificate key pair on the end-user's machine. For more information, see AcquirePreLicense.
The following list shows the steps taken by an AD RMS-enabled application when it opens protected content:
- The application detects that the content is protected. (This can be done in any way appropriate to the application.)
- The application either searches the license store for end-user licenses for the content, or else extracts the end-user license from the protected document itself, depending on how that application stores its licenses.
- If no end-user license is detected, the application then searches for the file's issuance license.
- The application uses this issuance license to acquire an end-user license by using the DRMAcquireLicense function. Because license acquisition can take considerable time, the AD RMS client API uses asynchronous APIs for license acquisition. This function can occur either silently or nonsilently, as determined by a flag in DRMAcquireLicense.
Note Nonsilent license acquisition is supported only in RMS client 1.0. Effective with RMS client 1.0 SP1, nonsilent license acquisition is no longer supported, and MSDRMCtrl.dll is not installed.
Silent license acquisition means that the application makes a license acquisition attempt by using the DRMAcquireLicense function and receives notifications through its callback function, but the DRMAcquireLicense function has no other input except to cancel an attempt in progress. With silent license acquisition, the application submits all the required information at the beginning, so use silent license acquisition when you don't need the application to control the user experience and when no additional user information, such as a credit card number, is needed during license acquisition.
Nonsilent license acquisition means that the application navigates to a license acquisition Web page and requests additional user information. Use nonsilent license acquisition when additional user input is required. The application still calls DRMAcquireLicense, but this function only returns the URL of a Web page that the application must display to the user. The Web page at this URL must host the ActiveX control included with the RMS client installation (MSDRMCtrl.dll). This control works with the application to perform the license acquisition.
An application should first request silent license acquisition; if the silent license acquisition request fails, the application should then request a nonsilent license acquisition.
The license acquisition URLs (LAURLs) for both silent and nonsilent license acquisition can be stored in the signed issuance license, along with a backup silent license acquisition URL in case the first silent license acquisition URL fails. In addition, the application can override any license acquisition URLs in a license by submitting its own in the wszURL parameter of the DRMAcquireLicense function. The license creator has some control over what license acquisition URLs the license will hold, but the final decision about the license acquisition URLs in a license is made by the license issuing service.
For more information, see the following topics.
| Section | Description |
|---|---|
| Silent License Acquisition | Describes license acquisition without additional user input. |
| Nonsilent License Acquisition | Describes license acquisition with additional user input. |
See Also
Silent License Acquisition
Nonsilent License Acquisition
Querying Licenses
About Active Directory Rights Management Services
Send comments about this topic to Microsoft
Build date: 3/13/2008