locked
Why?: Do you want to open it using a different set of credentials? RRS feed

  • Question

  • Hi,

    I have setup a test server with AD RMS installed and configured. I have setup a few templates each with different restrictions, which are being deployed correctly to clients by SCP lookup. 

    On TestPC1 (Windows 10, with Office 2016). I create a new document, and assign a template which gives full control to user abc@domain.com. 

    On TestPC2 (Windows 10, with Office 2010 Standard) I am logged in as user abc@domain.com, which matches the user defined in the template. When I try to open the protected document I get

    You do not have credentials that allow you to open this document. Do you want to open it using a different set of credentials?

    If I click Yes, I get the message below (the redacted email address is abc@domain.com

    If I just click OK, I get

    The redacted address is the correct URL for my AD RMS cluster. I am intentionally not using HTTPS/SSL for this test setup.

    If I click OK, the document opens fine with all the expected permission restrictions (or in this case, full control).

    Why is Office 2010 prompting 3 boxes, whereas Office 2016 just opens the doc? Am I missing some hotfixes? All of our users are still on Office 2010 so this needs to be resolved. 

    Any suggestions?

    Thanks


    • Edited by Andrew S. James Wednesday, September 27, 2017 7:15 AM title change
    Tuesday, September 26, 2017 3:17 PM

Answers

  • I have answered my own question, sort of.

    I did not find an explanation for why this happens, only a work around.

    Working backwards, to remove the last message about Microsoft connecting to the URL to verify credentials you can add this registry key - make sure the value is "1". 

    To remove the 2nd message about confirming which account will be used, you can add this registry key (highlighted in red)

    The bit in yellow is my primary SMTP address.
    The bit in green is the name of my RMS server.

    I noticed the above key was created when I ticked the box "always use this account" on the 2nd message box. I recommend ticking this on a test PC to see the format of the created key so you can replicate for your environment.

    I intend to push these two keys out via login scripts or Group Policy. The 2nd registry key requires a bit of working out as I will need to query the primary SMTP address of the user first in order to put the correct value in this reg key.

    Wish me luck.

    Thursday, September 28, 2017 1:56 PM

All replies

  • I have answered my own question, sort of.

    I did not find an explanation for why this happens, only a work around.

    Working backwards, to remove the last message about Microsoft connecting to the URL to verify credentials you can add this registry key - make sure the value is "1". 

    To remove the 2nd message about confirming which account will be used, you can add this registry key (highlighted in red)

    The bit in yellow is my primary SMTP address.
    The bit in green is the name of my RMS server.

    I noticed the above key was created when I ticked the box "always use this account" on the 2nd message box. I recommend ticking this on a test PC to see the format of the created key so you can replicate for your environment.

    I intend to push these two keys out via login scripts or Group Policy. The 2nd registry key requires a bit of working out as I will need to query the primary SMTP address of the user first in order to put the correct value in this reg key.

    Wish me luck.

    Thursday, September 28, 2017 1:56 PM
  • I forgot to add...

    This page was helpful with finding the 1st registry key and contains other registry keys for changing the behaviour of RMS/IRM on Windows PC's

    https://technet.microsoft.com/en-us/library/cc179150(v=office.12).aspx


    Thursday, September 28, 2017 1:58 PM