AD RMS: Machine activation. Independent process.

Hello everybody.

What happens when our end-user open protected document\email? Which process happens when end-user create protected document. I think each of you have observed some delay when you first time use right protection button in RMS-aware application (e.g. Outlook, Word). So, something happen there in background, let’s look more in details on RMS activation. Hereinafter I will user WIndows 7 OS as a end-user operation system and Windows 2008R2 as RMS platform. Why do I do an accent on it? Because here some deviations (in end-user and server platforms) between operating systems versions.

1. As usually client gererates key pair – public and private keys (green and red colors accordingly). The key length is 1024 bit (RSA). And this key length parameter isn’t configurable. These key don’t use for document encryption, so, 1024 bit is more that enough. AD RMS client. secproc.dll is a library which responsible for machine activation process. “The client lockbox for the Production hierarchy.”  So, if activation doesn’t happen, be aware this file:

  • available;
  • not corrupter, or wasn’t substituted with another *.dll file.

BTW, don’t delete it. This file is a part of files which are installed with operation system (not SDK).

2. Using DPAPI (see below) client encrypts private key using user’s password.

“The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. 

DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs …. “

3. Client preserve final result as a BLOB in the following registry key: HKCU\Software\Classes\Local Settings\Software\Microsoft\uDRM

4. Client issues Security Processor Certificate (SPC) and put there private key. The final result is signed by client public key Done. We have selfsigned certificate 🙂

5. Final result is CERT-Machine.drm file in the following location: %LocalAppData%\Microsoft\DRM\CERT-Machine.drm

“Each certificate typically contains the following elements:

  • The issuance date and time.
  • A certificate type ID and name.
  • The name and ID of the issuer.
  • The location from which the certificate was retrieved.
  • The principal ID, public key, digest and security processor.
  • A signature created by using the private key of the AD RMS activation service.
  • A certificate chain that contains the server licensor certificate and one or more CA certificates.”

Client Bootstrapping


TIP1: on your computer you can easily find rmactivation.exe file, it responsible forRetrieves a machine certificate that signs the computer into the Production hierarchy. This is artificial way to do RMS activation without interaction with end-user applications (Word, Excel, etc). I recommend to use this executable file when you want to skip RMS-aware application from activation process. Just delete CERT-Machine.drm file from target folder (if it exist) and run rmactiavtion.exe.  New CERT-Machine.drm file should be created in a folder, otherwise… you have a problem. I’ve even met situations when OS had to be reinstalled because of RMS activation fails. But in fact it depends on time which you are ready to devote to solve this problem.

TIP2: I do an accent that this process is fully autonomous and doesn’t require connection with RMS server, or any other servers in your environment. If you know what happens during client activation (and hopefully after reading this article you know) than it should be clear for you.

Good luck.

2 comments on “AD RMS: Machine activation. Independent process.

  1. Hello and very very thank you for your posts about AD-RMS , excellent concept , that I couldn’t find like that any where.
    there are not in details and in technical , any document like this ;
    very very thanks

  2. Hello, Thanks for the post. Very helpful.

    I am getting below error in an Exchange Server with RMS Connector. I assume this is because of the SPC Cert. What are your sugggestions?

    – FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC). This failure may cause features such as Transport Decryption, Transport
    Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted “Read”
    and “Read & Execute” rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see “Set Permissions on the AD RMS Certification Pipeline” at
    Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from —> System.Web.Services.Protocols.SoapException: Exception of type
    ‘System.Web.Services.Protocols.SoapException’ was thrown. —> Microsoft.DigitalRightsManagement.Core.VerifyMachineCertificateChainFailedException: —> Exception of type
    ‘Microsoft.DigitalRightsManagement.Core.VerifyMachineCertificateChainFailedException’ was thrown.
    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
    at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
    at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)
    at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)
    — End of inner exception stack trace —
    at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)
    at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()

Leave a Reply to Farshad Zare Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s