License Management
The Active Directory Rights Management Services (AD RMS) system physically stores licenses and certificates in various locations in the computer. To make managing these certificates easier, the AD RMS system provides a virtual object, called a license store, that presents a single access point from which you can retrieve or delete all licenses and certificates.
There are two types of license stores: permanent and temporary. Both are accessed through the same object, but objects in the permanent store are physically stored in the computer and can be retrieved at a later time. Items in the temporary license store are held in memory temporarily and are lost when the license store object is deleted.
Certificates stored permanently on the system include rights account certificates (RACs) (many can exist for the same user), end-user licenses (EULs), client licensor certificates, revocation lists, and machine certificates. Issuance licenses are not held in the license store but are handed to the application through the callback function; for an application to store the licenses, it must save the licenses itself. Licenses and certificates are stored in the following locations on your computer:
- Locations for Licenses and Certificates for AD RMS on Windows Server 2008 and Windows Vista
- Locations for Licenses and Certificates for RMS Client 1.0 SP1, RMS Client 1.0 SP2, and Server Lockbox
- Locations for Licenses and Certificates for RMS Client 1.0
Locations for Licenses and Certificates for AD RMS on Windows Server 2008 and Windows Vista
| License type | Physical location |
|---|---|
| All (including machine certificate) | For applications using the AD RMS client on Windows Server 2008 or Windows Vista:
%USERPROFILE%\AppData\Local\Microsoft\DRM For applications using the server lockbox: %ALLUSERSPROFILE%\Microsoft\DRM\Server\UserSid |
Locations for Licenses and Certificates for RMS Client 1.0 SP1, RMS Client 1.0 SP2, and Server Lockbox
| License type | Physical location |
|---|---|
| All (including machine certificate) | For applications using the RMS client 1.0 SP1 lockbox:
%USERPROFILE%\Local Settings\Application Data\Microsoft\DRM For applications using the server lockbox: %ALLUSERSPROFILE%\Application Data\Microsoft\DRM\Server\UserSid |
Locations for Licenses and Certificates for RMS Client 1.0
| License type | Physical location |
|---|---|
| EULs, RACs, revocation lists, and client licensor certificates | %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM\ |
| Machine certificate | %ALLUSERSPROFILE%\Application Data\Microsoft\DRM |
By default, all licenses issued to a user with a certificate as enabling principal will be stored in the user's license store.
You can add items to either the permanent or temporary license store by using the DRMAddLicense function.
Note In Rights Management Services client 1.0, you cannot add items to the permanent license store yourself; they can only be added by using DRMActivate (for machine or user certificates), DRMAcquireAdvisories (for revocation lists), or DRMAcquireLicense (for end-user licenses or client licensor certificates).
You can handle licenses yourself by enumerating them from the license store (DRMEnumerateLicense) and deleting them from the store (DRMDeleteLicense).
Issuance Licenses
Issuance licenses are not stored in the license store, and so the publishing application must decide where to package the issuance license. A consuming application must use an issuance license at least once, to acquire an end-user license, and may use it to acquire several end-user licenses if the consumer uses the content on several computers or if an end-user license becomes not valid for some reason. Therefore, the consuming application must know exactly where an issuance license for a particular piece of content is stored. There are several ways to do this; here are two:
Package the issuance license with the encrypted file.
This is the most common strategy. The publishing application creates a file that contains the signed issuance license in clear text somewhere at the beginning of a file, followed by the encrypted data. This way, an application knows exactly which license corresponds to the content. However, in this method, the consuming application must know exactly the format and location of the license and encrypted data in the file. This method requires the consuming application to have access to the file format. So, for example, imagine an .XYZ format that your consuming application expects will have a clear text issuance license at the front of, followed by ten Unicode zeros, followed by the encrypted content.
Send the issuance license separately, and ask the user to find it.
This option requires saving the signed issuance license with a name that allows the user to identify it as the proper issuance license for the content the user wants to open. The user must then browse the computer, or choose from a list of issuance licenses that the application locates for them. The consuming application can query the signed issuance license to display a content ID that the license applies to.
See Also
Licenses and Certificates
About Active Directory Rights Management Services
Send comments about this topic to Microsoft
Build date: 3/13/2008