4.2 Provisioning an Extranet User

To consume protected content, a user's client machine needs to contact an RMS server to be provisioned with specific certificates on the machine being used. These certificates can easily be obtained with the proper URLs. Sometimes the necessary URL information is not present on the client machine, either because the machine is not joined to a domain, or it is not joined to the same domain that contains the user's account. As defined in section 1.3.1, the appropriate RMS server for a specific service type can vary depending on the specific user.

To find the relevant RMS server's URL, the client has to first contact a general RMS server and invoke the FindServiceLocationsForUser RPC. The URL for this general RMS server can be found from the policy that has been applied to the protected information (or content). Alternately, the URL for the general server could be found via configuration settings or some application-specific or deployment-specific mechanism.

Once contacted, the general RMS server (server 1 in the following diagram) will in turn contact an appropriate RMS server (server 2 in the following diagram) for the specific user using the FindSeviceLocations operation of the ServerSoap (FindServiceLocations) port type, and return the appropriate direct URL to the client for subsequent requests to provision the necessary certificates.

FindServiceLocations call resulting from AcquireLicense

Figure 8: FindServiceLocations call resulting from AcquireLicense

  1. Client identifies general-purpose extranet RMS server URL.

    The client determines the URL of the general-purpose RMS server from the policy applied to the protected content, configuration settings, or an application-specific or deployment-specific mechanism.

  2. Client makes a request to FindServiceLocationsForUser RPC.

    The client makes a request to the FindServiceLocationsForUser Web service, providing the type of service whose URL is being requested and providing authentication of the user's identity.

  3. Server 1 makes a FindServerLocations request on behalf of the user.

    If the user authenticates correctly, the server will find the user's home domain in the directory and identify the appropriate RMS server for that domain (server 2). Server 1 will then make a FindServiceLocations request to server 2, specifying the service type that was requested by the client.

  4. Server 1 returns results to client.

    Server 1 will then return the results of the request to server 2 to the client.

  5. Client contacts server 2 directly, via returned URLs.

    The client will then contact server 2 directly and request the required provisioning certificates.