Use Licenses and External Users

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS allows authors to share protected content with authorized external users over the Internet. RMS offers equal protection for publishing content to internal and external users because the rights that are attached to the content must be licensed by an RMS cluster. This allows organizations to share and work together on confidential documents, such as contracts, over the Internet.

An external user typically gains access to RMS through the Internet. (If an external user can gain access to the internal network directly, such as through a VPN connection, he or she is functionally equivalent to an internal user.) Whether the user is in the publishing organization or external to it, the process of acquiring a use license is essentially the same as it is described in "Use License Acquisition" earlier in this subject. The user is not required to be inside the author's network or have a user account on it to request a use license.

All that is required is that:

  • The user has a valid rights account certificate.

  • The user has access to a RMS licensing server in the cluster that issued the publishing license, which may be on the intranet or an extranet.

  • The RMS installation that issued the user's account certificate is on the list of trusted user domains of the RMS installation that issues the use license.

The following types of external users can obtain use licenses:

  • Users whose accounts are part of a different Active Directory forest that also has an RMS installation. The RMS installation in the other forest must be defined as trusted user domains for this installation.

  • Users in another organization that is also running an RMS installation that has been added to the list of trusted user domains for this installation.

  • Users who have Windows Live ID–based rights account certificates when the Microsoft RMS Certification Service is on the list of trusted user domains for this installation.

You can add a separate organization or another RMS installation in your organization to the list of trusted user domains. After you add a domain, you can then define which e-mail domains to trust in that domain, as well as select whether or not to trust security identifiers (SIDs) that are in this domain.

Another organization or an RMS installation that is in your organization can add your RMS installation to their list of trusted user domains so that their RMS clusters can process use license requests from your users.

For more information about how to create trusted user domains between RMS and other organizations, see "Trusted User Domains" later in this subject and "Adding and Removing Trusted Publishing Domains" in "RMS: Operations" in this documentation collection.