Share via

Machine Activation

  • Article

The purpose of computer or device activation is to acquire an Active Directory Rights Management Services (AD RMS) machine certificate. Machine certificates are stored on a per-user basis; that is, each user will have a separate store for the machine certificate, separate from the machine certificates used by other users that share the machine.

Note  In RMS client 1.0, a single machine certificate is shared by all users of a computer.

The process of machine activation varies depending on the version of RMS being used:

Machine Activation for RMS Client 1.0 SP1, RMS Client 1.0 SP2, and the Server Lockbox

The lockbox and server lockbox are supplied by the client installation and automatically installed when the client is installed. The DRMActivate method initiates a call to the RMS client software which performs the machine activation locally. There is no server transaction of any kind for machine activation. The resulting machine certificate is stored on a per-user basis. These items are tied to that particular computer configuration. The RMS client then informs the requesting application through the callback method that machine activation has succeeded or failed.

Activating a computer that has already been activated will overwrite the existing machine certificate for the specified user. This will require that you obtain a new rights account certificate for all content stored on this computer. Machine certificates for other users are not affected. The lockbox and server lockbox are not affected by machine activation.

Machine Activation for RMS Client 1.0

The DRMActivate method sends information about the client computer to the activation service. This information identifies the computer by its configuration; it does not identify any users on the computer. The activation service sends a lockbox and a machine certificate back to the client. These items are tied to that particular computer configuration. The machine certificate has a public key signed by the activation service's private key.

Because machine activation can take considerable time, DRMActivate is asynchronous and immediately returns control to the application, then continues processing the activation call on a separate thread.

The client application provides the text that will be displayed to the user during activation. The text should have the following components:

  • A message that informs the user that activation requires some information to be sent from the user's computer to the Windows activation service
  • The URL for the activation service's privacy-policy page

After getting the callback, the application must generate and display an activation dialog box that contains the text and URL. The dialog box should have the following components:

  • Yes and No buttons that allow the user to opt out of machine activation.
  • A Don't show this to me again check box.

If the user clicks the Yes button, the application returns a success code from the callback function (this code will also indicate whether the user selected the Don't show this to me again check box). If the user clicks the No button, a failure code is returned from the callback function, and the activation request is canceled.

The RMS client processes the activation response by:

  • Decrypting the response and verifying its signature.
  • Extracting the machine certificate.
  • Verifying signatures and the extracted certificates.
  • Installing the machine certificate in the folder specified in License Management.

The RMS client then informs the requesting application through the callback method that machine activation has succeeded or failed.

Activating a computer that has already been activated will overwrite the existing machine certificate. This will require that you obtain a new rights account certificate for all content stored on this computer. A new lockbox will also be acquired automatically.

See Also

Machine Certificate
Lockboxes
Activation
Determining Whether to Use a Lockbox

Send comments about this topic to Microsoft

Build date: 3/13/2008