AD RMS Client 1.0 Deployment

Applies To: Windows Server 2008, Windows Server 2008 R2

When Windows RMS was originally released for Windows Server 2003, it required a client to be deployed to all the devices that were going to be creating or accessing protected documents. This included the Windows XP and Windows 2000 operating systems.

With the release of Windows Vista in 2007 and subsequent operating system releases, support for rights management technologies is provided out-of-the-box because the AD RMS Client 1.0 is included with the operating system. With Windows Vista there is no longer a need to deploy a separate client in order to be able to create and consume protected content. However, the first time an AD RMS protected document is accessed or created in a Windows Vista machine, the client and the user need to be activated. This process is completely transparent to the user, though obtaining the RAC and the CLC requires a connection to the network that hosts the AD RMS certification cluster. Once the client is activated, the user can create and consume protected documents from the computer. This transparency allows documents to be open according to their protection policy and the capabilities of the software installed on the machine. For example, if the machine has Office 2007 Enterprise installed, this would enable the user to open IRM protected Office documents according to their policy. If the machine does not have the ability to handle the types of protected documents being opened, they will be unable to do so, unless they use the Rights Management Add On or one of the Microsoft Office viewers which are discussed later in this document.

The AD RMS Client 1.0 is included with the Windows Vista and the Windows Server 2008 operating systems. If you are using Windows XP, Windows 2000, or Windows Server 2003 as your client operating system, a compatible version of the AD RMS Client 1.0 is available for download from the Microsoft Download Center. See Manual Client Installation later in this document for information on manually installing the client.

How Activation Works

Activation is the process of signing into the AD RMS certificate hierarchy. It is composed of the following two parts:

  • Machine Activation

  • User Activation

Machine Activation

Before a specific computer can be used to encrypt or decrypt content, you must sign it into the AD RMS certificate hierarchy. This process, called activating a computer, returns a certificate chain. The root of the chain is a Microsoft certification authority (CA) certificate, and the chain ends with a signed machine certificate that uniquely identifies the computer being used.

Computer activation is performed locally by the AD RMS client. There is no interaction with an AD RMS activation service or the AD RMS server infrastructure. The computer generates a 1024-bit public/private key pair. It stores the private key securely and puts the public key into the machine certificate.

Activating a computer that has already been activated overwrites the machine certificate, thereby requiring that you also renew the rights account certificate.

User Activation

Before a user can encrypt or decrypt content, the user's Active Directory account must be signed into the Active Directory Rights Management Services (AD RMS) certificate hierarchy. This process, called activating a user account, returns a certificate chain. The root of the chain is a Microsoft certification authority (CA) certificate, and the chain ends with a signed rights account certificate (RAC) that uniquely identifies the account.

User activation is performed independently on each machine that the user attempts to access or create protected content on.

This process begins by identifying the AD RMS certification cluster in the forest by using the Service Connection Point (SCP) in Active Directory. Then the client presents the credentials of the user to the AD RMS certification server. Next, the server generates a Rights Account Certificate (RAC), which contains a public/private key pair for the user and the user’s email address as the subject. The private key of the user is encrypted with the public key of the computer performing the activation. This is so it is only available to that computer, to which the certificate is sent. The computer then stores the certificate locally on the machine.


Registry overrides can be used to point the client to a specific URL for the AD RMS certification cluster. See the Client Registry Settings later in this document.

If the client is attempting to protect content, the client is also issued a Client Licensor Certificate (CLC) which allows the user to publish content. The CLC is generated by the server and contains a public/private key. The private part is encrypted with the RACs public key.