Unsolved AD RMS 70-742

---

I just want to make sure I understand correctly. on episode "Implementing and Administering AD RMS Part 2" of the 70-742 course.

there are 9 steps that are used to describe the process of how AD RMS works. I just want to make sure I'm understanding correctly.

The reason it is possible for a recipient of a protected document to view it is because the AD RMS server distributes the author's public key (sent to the AD RMS sever in step 5 by the authors client) to the recipient? therefore the recipient is able to decryt pt the protected document.

Rosalio,

Good evening, I hope all is well. Short answer is "Yes", but it is the RECIPIENT'S Public Key that is used. All 9 steps I discuss and enumerate in the episode are listed below for reference:

How AD RMS works - AD RMS works as follows:

1. The first time an author configures rights protection for a document, a client
   licensor certificate is requested from the AD RMS server. A client locates the
   AD RMS server by using the service connection point in AD DS.

2. The server then issues a client licensor certificate to the client, unless
   the client is on the exclusion list in AD RMS.

3. When the author receives the client licensor certificate from the AD RMS server,
   he or she can configure usage rights on the document. The author can perform the
   configuration either manually or by applying pre-created templates.

4. When the author configures usage rights, the AD RMS-enabled app encrypts the
   file with a symmetric key. A symmetric key is generated on the client device. When
   AD RMS protection is applied to the document, the document is actually in an
   encrypted state.

5. This symmetric key is then encrypted by using the public key of the AD RMS
   server that the author is using. This encrypted symmetric key is distributed to
   the AD RMS server and stored on it. Because it is encrypted with the server’s
   public key, it can be decrypted only by using the server’s private key.

6. The author of the AD RMS-protected content distributes the file to the recipient.
   The recipient of the file opens it by using an AD RMS app or browser. It is not
   possible to open AD RMS-protected content unless the app or browser supports
   AD RMS. If the recipient does not have an account certificate on the current device,
   one is issued to the user at this point. The app or browser transmits a request
   to the author's AD RMS server for a use license.

7. The AD RMS server determines if the recipient is authorized. If the recipient
   is authorized, the AD RMS server issues a use license.

8. The AD RMS server then decrypts the symmetric key that was encrypted in step 5
   by using its private key.

9. The AD RMS server re-encrypts the symmetric key by using the recipient's public
   key and then adds the encrypted session key to the use license. The use license
   and the encrypted symmetric key are then distributed to the recipient. The recipient
   uses his or her private key to decrypt the symmetric key. After that, the symmetric
   key is used to decrypt AD RMS-protected content.

After review it all, please feel free to let me know if you have any questions, or need anything further.

Good luck !!

Cheers,

Adam

Makes sense thank you very much Adam!