Before a user can encrypt or decrypt content, the user's Active Directory account must be signed into the Active Directory Rights Management Services (AD RMS) Pre-production or Production certificate hierarchy. This process, called activating a user account, returns a certificate chain. The root of the chain is a Microsoft certification authority (CA) certificate, and the chain ends with a signed rights account certificate (RAC) that uniquely identifies the account. You can use the DRMActivate function to activate a user. This is an asynchronous function that returns immediately to your application while processing the activation request on another thread. It delivers the result to a callback function that you must create. Before you can activate a user account, you must activate the computer that the user has logged onto and retrieve a machine certificate.

Rights Account Certificates

 An Active Directory Rights Management Services (AD RMS) rights account certificate (RAC) identifies a user account by signing it into the Pre-production or Production certificate hierarchy. Each RAC is tied to the machine certificate of the computer on which the user is activated. A RAC and a machine certificate must exist before an end-user license can be created and content encrypted or decrypted. A user can have more than one RAC on a computer, one for each AD RMS service against which the user is activated, but the user cannot transfer a RAC between computers. For more information, see Activate a User Account. A RAC can contain the following elements: The issuance date and time.

• The period over which the certificate is valid.
• A certificate type ID and name.
• The name and ID of the issuer.
• The location from which the certificate was retrieved.
• The principal ID, public key, digest and security processor.
• The Active Directory Federated Service (ADFS) principals.
• A signature created by using the private key of the AD RMS activation service.
• A certificate chain that contains one or more server licensor certificates and one or more CA certificates.

The following sample shows the basic XrML structure of the certificate. - <XrML xmlns="" version="1.2">

  - <BODY type="LICENSE" version="3.0">
    + <ISSUEDTIME>
    + <VALIDITYTIME>
    + <DESCRIPTOR>
    + <ISSUER>
    + <DISTRIBUTIONPOINT>
    + <ISSUEDPRINCIPALS>
    + <FEDERATIONPRINCIPALS>
    </BODY>
  - <SIGNATURE>
    + <DIGEST>
      <ALGORITHM />
      <VALUE />
    </SIGNATURE>
  </XrML> + <XrML xmlns="" version "1.2">  <!-- server licensor certificate -->
+ <XrML xmlns="" version "1.2">  <!-- server licensor certificate -->
+ <XrML xmlns="" version "1.2">  <!-- DRM-CA-Certificate -->
+ <XrML xmlns="" version "1.2">  <!-- DRM-CA-Certificate --> 

Rights Account Certificate Store

Version Certificate location

AD RMS on Windows Vista and Windows Server 2008 using the client lockbox - %USERPROFILE%\AppData\Local\Microsoft\DRM
RMS client 1.0 SP2 using the client lockbox - %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM

Rights Account Certificate XML Example

The following example shows an XrML rights account certificate (RAC) chain. The RAC was issued to the user account someone@example.com. The name of the AD RMS server that issued the RAC was EXAMPLESRV2008. To see an actual RAC, activate the user, navigate to the appropriate Rights Account Certificate Store, and open the certificate file. The file name format for a RAC in the Pre-production hierarchy is GIC-user account-user ID GUID.drm. For example, the following RAC was saved in the file named GIC-someone@example.com-{f39c5f0b;kb861;k460c;k8a21;kb8a0b9a9c568}.drm

- <XrML xmlns="" version="1.2">
  - <BODY type="LICENSE" version="3.0">
      <ISSUEDTIME>2008-03-17T16:04</ISSUEDTIME>
    - <VALIDITYTIME>
        <FROM>2008-03-16T16:04</FROM>
        <UNTIL>2009-03-17T16:04</UNTIL>
      </VALIDITYTIME>
    - <DESCRIPTOR>
      - <OBJECT type="Group-Identity-Credential">
          <ID type="MS-GUID">
            {f39c5f0b-b861-460c-8a21-b8a0b9a9c568}
          </ID>
        </OBJECT>
      </DESCRIPTOR>
    - <ISSUER>
      - <OBJECT type="MS-DRM-Server">
          <ID type="MS-GUID">
            {e03ee46f-e62a-48d7-81f0-2d8d5d522c9d}
          </ID>
          <NAME>EXAMPLESRV2008</NAME>
          <ADDRESS type="URL">HTTP://example.com:80/_wmcs</ADDRESS>
        </OBJECT>
      - <PUBLICKEY>
          <ALGORITHM>RSA</ALGORITHM>
        - <PARAMETER name="public-exponent">
            <VALUE encoding="integer32">65537</VALUE>
          </PARAMETER>
        - <PARAMETER name="modulus">
            <VALUE encoding="base64" size="1024">
              1fn3bqaD3kdFtl+uo1mc/PKPNZyIjJ+KN+EACM72bSZwswcUTc8u75H
              0rllk9bgonpFTt9MCdfl7f+NC2OuWv2rC9nuBKt6CN/wMEVpF+ByjkU
              zMTA1Ktu/ziS4BJ9L7t1bUWEqa3nWb1B6MV/M+jeNgjiRMpGi+vzn3s
              D/d8Oo=
            </VALUE>
          </PARAMETER>
        </PUBLICKEY>
        <SECURITYLEVEL name="Server-Version" value="6.0.0.0" />
        <SECURITYLEVEL name="Server-SKU" value="RMS 2.0" />
      </ISSUER>
    - <DISTRIBUTIONPOINT>
      - <OBJECT type="Activation">
          <ID type="MS-GUID">
            {8BA9EA80-99E4-4a2b-9764-4CD84F77C3A0}
          </ID>
          <NAME>Microsoft Identity Certification Server</NAME>
          <ADDRESS type="URL">
            http://example.com/_wmcs/certification
          </ADDRESS>
        </OBJECT>
      </DISTRIBUTIONPOINT>
    - <ISSUEDPRINCIPALS>
      - <PRINCIPAL internal-id="1">
        - <OBJECT type="Group-Identity">
            <ID type="Windows">
              S-1-5-21-1226287486-3652005974-3671177567-1114
            </ID>
            <NAME>someone@example.com</NAME>
          </OBJECT>
        - <PUBLICKEY>
            <ALGORITHM>RSA</ALGORITHM>
          - <PARAMETER name="public-exponent">
              <VALUE encoding="integer32">65537</VALUE>
            </PARAMETER>
          - <PARAMETER name="modulus">
              <VALUE encoding="base64" size="1024">
                raMBBHBY7UbNE0bHh1Mc2G2LjBQfI/x/scBACTAm6Y12K+xQlve3p
                NlcnFcuPrfguSpNrXq3bdk+zdONH92zzxSlwqvVXqubwNinLESusH
                snpcVPGkPLV3PqxZ/JHOiEWKoLPkigNHGfatrBbnofCqRQhiG6it7
                FbHvNMRAgxbE=
            </VALUE>
            </PARAMETER>
          </PUBLICKEY>
          <SECURITYLEVEL
            name="Group-Identity-Credential-Type"
            value="Persistent" />
          <SECURITYLEVEL
            name="Group-Identity-Policy"
            value="Group-Identity-Credential" />
          <SECURITYLEVEL
            name="Group-Identity-Type"
            value="Group" />
        </PRINCIPAL>
    - </ISSUEDPRINCIPALS>
    - <FEDERATIONPRINCIPALS>
      - <PRINCIPAL>
        - <OBJECT type="Machine-Unique-Identifier">
            <ID type="MS-GUID">
              {8a0acfdb-b60f-49bd-a781-f6b41e876219}
            </ID>
            <NAME>Machine</NAME>
          </OBJECT>
        - <ENABLINGBITS type="sealed-key">
            <VALUE encoding="base64" size="6144">
              ox7jiE7iXtnP5Q4p/ZPfh4VAP5sFh/wI+8XsK94+KBO8yfwytsNCoUP
              JU3twWHoBNTIdbVCvSFFmhp+Uw71rHCB22Ud3ZUaV81a5ZjbsyFltiu
              FFUOeqOKUGXQwKHrVcb6Yi2rEOmimKoBr1S/SP99g5D3xEZjxslFI8q
              F3PblXdysVm8alF+KiLkWLO0B+doTd+7OnL48H1xQZnUFLVy2uBp+s5
              JJDLd1+38Oj/qjl992EhHZMvle567g+vRLQ4pabIrtZnIw/hAa0yBWP
              FlRNJ6v0qsj1FeM4mRiKYvGazyVDEYX+Js1sc1RUY4XNLo7tPlBt/4q
              JHHhuGhX2jltXRKTQprlofb/ZnTfme+rBNKX5Rzd3+fjp0dFjdllfMG
              Z5J+Z6PSwAAs9ojlner6j2kv88yHx700ZaTdCxhKPEVL9IyNPjFUHo/
              b+499DIPu7tp2E3DlEEusnsnwZqIehpt8tghLzfUMM2YJe3T1poKVF0
              SWjVfr2OKRZ3qQPdI+/3/cQzaGirgvRDuifJGduzLqZ2uABKwqYv2zP
              ELKOKPuDWqckhgj83n/EYtyM/beCz0ZmEGHdAEmXFHr701t7heGI9aQ
              jUwNjWmpwMUKTgKGfA0dNq4cJk1p/VO1+b2TS3yAC2jtwA5ZaejrQ8g
              2H/S2D82ht8A9tGUjDfoqn4T2RN1laLXGwbzAto31I4kUWpcziakJ+/
              XNBH4F961d6177Sie1IkGiLGnMSM3nmpdQPjad/z8YS3fPcE+LkbaP8
              vmXZl4GY6nNSvkvTT/nxhFfn/Fm17HFvjovBhSB6NOFzkSiuXDcPXlU
              X/BTGZk0p8j4yXQNtO9b3H+OtGEuwqnD8S69tIrpH+jpl/VCFXFKp3M
              rcVUZfjhBGfZHapCul5dZfir32dU6bkTD/FmSbSVClr5rO7/sZ/Wlvl
              lv4mw/gg642EnvzURDMFFZb+XYALFGdvMt3kZevK4o5hCE0yEP2PtAb
              fWv1jpseo3nNRC/mMsv8nXgcdW1MKbuKEH
            </VALUE>
          </ENABLINGBITS>
          <SECURITYLEVEL
            name="Manufacturer"
            value=
              "Microsoft Corporation mcoregen DLL 6.0.5840.16389 (RMS
              Client v2.0 Desktop Security Processor)" />
          <SECURITYLEVEL
            name="Platform"
            value="2.6.0.6000" />
          <SECURITYLEVE
            name="Repository"
            value=
              "Microsoft Corporation Windows RMS Client v2.0 secure
              repository 6.0.5840.16389" />
        </PRINCIPAL>
      </FEDERATIONPRINCIPALS>
    </BODY>
  - <SIGNATURE>
      <DIGEST>
        <ALGORITHM>SHA1</ALGORITHM>
      - <PARAMETER name="codingtype">
          <VALUE encoding="string">surface-coding</VALUE>
        </PARAMETER>
        <VALUE encoding="base64" size="160">
          Xc+84uqrehgkwjwHGAedTv7UeK0=
        </VALUE>
      </DIGEST>
    - <ALGORITHM>RSA PKCS#1-V1.5</ALGORITHM>
        <VALUE encoding="base64" size="1024">
          SaZvQJOL9D478f5sxLq3Jdn5ZB11oHvfKr8xa3oPI5xwmFnnsol+rTJKWYP
          K0lyfRhpqobgQmqtx9HaVGp/kK5HcPoMFVp8RRnbKogZDZVX3lKMq+vJeJb
          RIassz6TZQICTBcf0QL/ba3qVNYGP3kl3LyRAK/DaHsD1w5XXAfmk=
        </VALUE>
    </SIGNATURE>
  </XrML>
   .
   .
   .
- <XrML xmlns="" version="1.2">
- <XrML xmlns="" version="1.2">