When a user obtains or renews an RAC, a Machine Certificate accompanies the RAC request. Machine Certificates, which are assigned to users, contain the RMS Client's public key. RMS uses Data Protection API (DPAPI) to store the corresponding private key. An RAC contains a user's public/private key pair, which is generated on the RMS Certification Server and signed using the RMS Certification Server's private key. The user's private key is encrypted with the public key from the Machine Certificate. For this reason, users have an RAC on every machine on which they use RMS. When an RMS Server issues a CLC to a user, the CLC contains the issuing RMS Server's public key, which is the same as the public key in its SLC, and the Intranet and Extranet Cluster's URLs.

When content is protected with a CLC, the RMS Server generates a random symmetric key and encrypts the content with it. The symmetric key is encrypted with the RMS Server's public key from the CLC and written to the PL along with the RMS Server's Cluster URLs (also from the CLC). When an RMS Client requests an EUL, it sends the user's RAC and PL to the RMS Server that is identified by the URLs in the PL (the RMS Client tries the Intranet Cluster URL first, then the Extranet Cluster URL). When the RMS Licensing Server receives the request, it validates the RAC by checking the signature and making sure the user identified by the RAC is named in the PL or is a member of a group named in the PL. If the user is granted rights to the content, the RMS Licensing Server uses its private key to decrypt the symmetric key in the PL, then re-encrypts the key using the user's public key from the RAC before the server writes the key in the EUL (along with the rights granted to the user). The RMS Server returns the EUL to the RMS Client. The RMS Client uses the machine private key to decrypt the user's private key from the RAC. The RMS Client uses the user's private key to decrypt the symmetric key in the EUL. The RMS Client can use the symmetric key to decrypt the rights-protected content. The content is then available to the RMS-aware application, and the rights afforded to the user are enforced by the RMS-aware application.