How to determine the type and the validity period of a Windows Rights Management Services (RMS) account certificate (832950)
The information in this article applies to:
- Microsoft Windows Rights Management Services (RMS) for Windows Server 2003
SUMMARYThis step-by-step article describes how to determine both the
type and the validity period of a Microsoft Windows Rights Management Services
(RMS) account certificate. You can download the following two types of
RMS account certificates:
- Standard
You can use a standard account certificate to create, to view, and
to use restricted content on a specific computer. You can use the restricted content only for the specific number of days
that the administrator of the RMS server determines.
For a default RMS
installation, a standard account certificate is valid for 365 days. The
administrator can set this validity period from zero days to 9,999 days (or more than 27 years). For
example, standard account certificates that you can download from the Microsoft
Passport Account Certification Service are valid for 180 days.
- Temporary
You can use a temporary account certificate to view restricted
content on a specific computer. You can view the restricted content only for the specific number of minutes that the
administrator of the RMS server determines.
For a default RMS installation, a
standard account certificate is valid for 15 minutes. The administrator can
set this validity period from zero minutes to 9,999 minutes (or almost seven days). For example,
standard account certificates that you can download from the Microsoft Passport
Account Certification Service are valid for 15 minutes. Each user account can
have only one active temporary account certificate from a particular RMS server
at a time. back to the topCopy the license
information to a new fileTo determine the type and the validity period of an RMS account
certificate, you must parse the data that contains the license information.
Each RMS account certificate is signed with an encrypted hash of this data.
Therefore, if you want to continue to use the data, do not change
the data. RMS uses eXtensible rights Markup Language (XrML) to create account certificates. XrML is a
specialized version of Extensible Markup Language (XML) that you can use with
rights expression applications. Account certificates contain multiple XrML
documents. Therefore, account certificates are incompatible with standard XML
editing tools. To view license information, extract the data that contains this
information, and then save this data as an XML file. You can then read the file
in the Windows XML Editor that is included with Microsoft Internet
Explorer. Note Except for the document that contains license
information, the XrML documents establish the certificate chain of the RMS server that grants an
RMS account certificate to a user account. To parse the XrML data that
contains the license information, follow these steps:
- Use a text editor (such as Notepad) to open the RMS account
certificate for editing.
This certificate exists in the RMS certificate store
on your computer. The RMS certificate store is located in the following folder: %USERPROFILE%\Local
Settings\Application Data\Microsoft\DRM Note RMS account certificates are identified by the three-letter prefix,
GIC, that precedes the user name and the GUID values. The RMS certificate store
also contains End User Licenses (EULs) and Client Licensor Certificates
(CLCs). - Locate the first occurrence of the <XrML>
element.
- Copy all the data between this <XrML> element and the
corresponding </XrML> element to a new document.
- Add an <XrML> element at the beginning of the new
document.
- Add an </XrML> element at the end of the new
document.
- Save this document as an XML document that is named
Temp.xml.
back to the topDetermine the type and
the validity period of an RMS account certificate- To determine the type of your RMS account certificate,
follow these steps:
- Open the Temp.xml document, and then find the <ISSUED PRINCIPLES> section.
- Notice the value of the value attribute for the <SECURITYLEVEL> element.
- A Persistent value denotes a standard account certificate.
- A Temporary value denotes a temporary account certificate.
For example, the
following <SECURITYLEVEL> element denotes a standard account certificate:<SECURITYLEVEL name="Group-Identity-Credential-Type" value="Persistent" /> Note RMS Account Certificates was formerly named Group Identity
Credentials. Microsoft changed this name to reflect the usage of
certificates. However, the RMS client Software Development Kit (SDK) and the
XrML data in the certificates still use the original name of Group Identity Credentials. - To determine the validity of the RMS account certificate,
check the contents of the <VALIDITYTIME> element.
For example, the following <VALIDITYTIME> element denotes an RMS account certificate that is valid from
21:00 on December 15, 2003, to 21:00 on December 15, 2004:
<VALIDITYTIME>
<FROM>2003-12-15T21:00</FROM>
<UNTIL>2004-12-15T21:00</UNTIL>
</VALIDITYTIME>
back to the
top
Modification Type: | Major | Last Reviewed: | 12/17/2003 |
---|
Keywords: | kbXML kbCertServices kbHOWTOmaster KB832950 kbAudDeveloper |
---|
|