Before installing and configuring Active Directory Rights Management Services, it is important to understand the publishing and consumption work flow. The following high-level work flow is presented by Microsoft in its online documentation, but it is reworded and reorganized here for clarity.
1. A publisher receives a client licensor certificate (CLC) from the RMS server. This is a onetime step, and it is useful for users who need to publish RMS-protected content without being connected to the corporate network. If the publisher has not published and secured any content before, it means a CLC has not been installed on that user's machine. As soon as the publisher secures his or her first content, the publishing computer will request a CLC from the AD RMS server. The AD RMS Server generates a CLC and grants the publishing computer to publish secure content offline. The CLC is unique to each publishing computer, as it is generated with an RMS server public key and a random symmetric key. Once you have the CLC installed on your machine, the publisher doesn't need to access the RMS server to protect any content.
2. A publisher creates a file and defines usage policies on the content by using the installed CLC to generate and sign the document's publish license (also known as an issuance license).
3. AD RMS then encrypts the document file with the random symmetric key and binds the publish license to the document file. The random symmetric key used to encrypt the protected file is joined with the rights policy assigned to the encrypted object and encrypted with the public key of the AD RMS server. By using the public key of the AD RMS server, only the AD RMS server that originally issued the CLC to the publisher can issue licenses to decrypt and open the symmetric key-encrypted content. The publish license contains the (URL) of the RMS server. As per Microsoft, if the publisher is using an RMS-enabled application that performs online file publishing, a CLC is never created; nor is one used as part of the publication process. Instead, the application generates a symmetric key and sends a request for a publish license directly to the RMS server. The request includes the symmetric key and the usage policies. The RMS server generates a publish license, encrypts a random symmetric key with the server public key, and returns the publish license to the application. Online publishing requires this process for each document published.
4. The publisher distributes the content to the consumer through a regular distribution channel, such as email, a network share, a SharePoint website, or removable disk storage media.
A consumer opens a file, either with an RMS-enabled application or via Internet Explorer with the RMA.
6. To validate the user and get a use license, the RMS-aware application sends a request to the RMS server that issued the CLC used to protect the content. The request includes the consumer's RAC, which contains the consumer's public key, the publishing license that contains the encrypted symmetric key that encrypted the file, and the rights policy information.
7. Once the AD RMS server receives the request from RMS-aware application, it validates the consumer and creates a use license. During this process, the server decrypts the symmetric key by using the server's private key, re-encrypts it by using the consumer's public key, and adds it to the use license, which contains the rights specified in the rights policy information of the use-license request. This step ensures that only the intended consumer can decrypt the symmetric key and thus decrypt the protected file.
8. Once the validation is complete, the AD RMS server returns the use license to the consumer's client computer.
9. The application renders the use-license file and enforces the user rights defined in the use license. The user rights policy information includes any relevant conditions to the use license, such as the expiration, an application exclusion, or an operating-system exclusion.
Was this article helpful?