How to determine the type and the validity period of a Windows Rights Management Services (RMS) account certificate (832950)


The information in this article applies to:

  • Microsoft Windows Rights Management Services (RMS) for Windows Server 2003

IN THIS TASK

SUMMARY

This step-by-step article describes how to determine both the type and the validity period of a Microsoft Windows Rights Management Services (RMS) account certificate.

You can download the following two types of RMS account certificates:
  • Standard
    You can use a standard account certificate to create, to view, and to use restricted content on a specific computer. You can use the restricted content only for the specific number of days that the administrator of the RMS server determines.

    For a default RMS installation, a standard account certificate is valid for 365 days. The administrator can set this validity period from zero days to 9,999 days (or more than 27 years). For example, standard account certificates that you can download from the Microsoft Passport Account Certification Service are valid for 180 days.
  • Temporary
    You can use a temporary account certificate to view restricted content on a specific computer. You can view the restricted content only for the specific number of minutes that the administrator of the RMS server determines.

    For a default RMS installation, a standard account certificate is valid for 15 minutes. The administrator can set this validity period from zero minutes to 9,999 minutes (or almost seven days). For example, standard account certificates that you can download from the Microsoft Passport Account Certification Service are valid for 15 minutes. Each user account can have only one active temporary account certificate from a particular RMS server at a time.
back to the top

Copy the license information to a new file

To determine the type and the validity period of an RMS account certificate, you must parse the data that contains the license information. Each RMS account certificate is signed with an encrypted hash of this data. Therefore, if you want to continue to use the data, do not change the data.

RMS uses eXtensible rights Markup Language (XrML) to create account certificates. XrML is a specialized version of Extensible Markup Language (XML) that you can use with rights expression applications. Account certificates contain multiple XrML documents. Therefore, account certificates are incompatible with standard XML editing tools. To view license information, extract the data that contains this information, and then save this data as an XML file. You can then read the file in the Windows XML Editor that is included with Microsoft Internet Explorer.

Note Except for the document that contains license information, the XrML documents establish the certificate chain of the RMS server that grants an RMS account certificate to a user account.

To parse the XrML data that contains the license information, follow these steps:
  1. Use a text editor (such as Notepad) to open the RMS account certificate for editing.

    This certificate exists in the RMS certificate store on your computer. The RMS certificate store is located in the following folder:

    %USERPROFILE%\Local Settings\Application Data\Microsoft\DRM

    Note RMS account certificates are identified by the three-letter prefix, GIC, that precedes the user name and the GUID values. The RMS certificate store also contains End User Licenses (EULs) and Client Licensor Certificates (CLCs).
  2. Locate the first occurrence of the <XrML> element.
  3. Copy all the data between this <XrML> element and the corresponding </XrML> element to a new document.
  4. Add an <XrML> element at the beginning of the new document.
  5. Add an </XrML> element at the end of the new document.
  6. Save this document as an XML document that is named Temp.xml.
back to the top

Determine the type and the validity period of an RMS account certificate

  1. To determine the type of your RMS account certificate, follow these steps:
    1. Open the Temp.xml document, and then find the <ISSUED PRINCIPLES> section.
    2. Notice the value of the value attribute for the <SECURITYLEVEL> element.
      • A Persistent value denotes a standard account certificate.
      • A Temporary value denotes a temporary account certificate.
    For example, the following <SECURITYLEVEL> element denotes a standard account certificate:
    <SECURITYLEVEL name="Group-Identity-Credential-Type" value="Persistent" />
    Note RMS Account Certificates was formerly named Group Identity Credentials. Microsoft changed this name to reflect the usage of certificates. However, the RMS client Software Development Kit (SDK) and the XrML data in the certificates still use the original name of Group Identity Credentials.
  2. To determine the validity of the RMS account certificate, check the contents of the <VALIDITYTIME> element.

    For example, the following <VALIDITYTIME> element denotes an RMS account certificate that is valid from 21:00 on December 15, 2003, to 21:00 on December 15, 2004:
    <VALIDITYTIME>
<FROM>2003-12-15T21:00</FROM> 
<UNTIL>2004-12-15T21:00</UNTIL> 
</VALIDITYTIME>
back to the top
Modification Type:MajorLast Reviewed:12/17/2003
Keywords:kbXML kbCertServices kbHOWTOmaster KB832950 kbAudDeveloper
©2003 Microsoft Corporation. All rights reserved.