AD RMS Information: Office 2011 for Mac and Credential Prompts
The first time an Office for Mac 2011 client attempts to create/consume IRM protected content two credential prompts are encountered. What these prompts are asking for an why serve two purposes.
When a properly configured* Windows client first interacts with a properly configured** AD RMS server no prompts are received. Is there a way to suppress all these prompts on an Office 2011 for Mac client? The answer is sort of. You can't prevent all the prompts, but after an inital few they may be suppressed.
As an aside, it is my opinion that even though a Mac client may be "joined" to a Microsoft Active Directory domain, it is not the same as a Windows native client joined to the domain. Hence the differences in behavior between the two client types.
Back to the two prompts. In the sample screen shots below Microsoft Word from Office 2011 for Mac was used.
The first prompt asks for your "fully qualified network user name and password." The suggested format is "someone@domain.corp.example.com." This appear to be asking for the user UPN (more on that below).
The second prompt is asking for credentials for the RMS URL being accessed. These credentials are in the "DOMAIN\username" format. (Note the "Save password in my Mac OS keychain" check box).
The first prompt appears to have two purposes. We are locating the user in AD so we may locate the RMS server (from AD). Thus we allow RMS to know the credentials the user wishes to use and the client may discover the RMS server. The second authenticates the user to the RMS server. when obtaining a license.
The "fully qualified network user name and password" prompt is the problematic one, in my limited exposure to these calls. What is this prompt looking for? Folks enter email addresses (sometimes this works) and others try the DOMAIN\User format but that fails. It looks like ""fully qualified network user name and password" is Mac-speak for user principal name (UPN). In active directory users have a UPN. The UPN is in an email format - user@... However the UPN may not be the same as the user email address.
By default the UPN is the fully qualified domain name of the domain where the user account resides. My UPN was steve@usa.corp.contoso.com. My email address is steve@contoso.com. If I had entered steve@contoso.com in that first prompt it would fail. The prompt wanted my UPN, the not so friendly steve@usa.corp.contoso.com. This works. The administrators of Contoso added a UPN suffix of @contoso.com to active directory. Then they changed my UPN to steve@contoso.com. Now my UPN is the same as my email address.
The second prompt, the DOMAIN\username credential prompt, is authenticating to the RMS server. Most users do not have a problem with entering the correct information here. There are some caveats though.
- You must check the "Save password in my Mac OS keychain" box or you'll be continually prompted to enter credentials and not progress further.
- Once saved there may be a prompt to access the keychain credential. In this case there is an option to always allow the application access to this credential. I'll get a screenshot of this when I can.
*A properly configured Windows client has the RMS URL(s) in the "local intranet" site settings in Internet Explorer.
**A properly configured RMS server has, among other things, only Windows authentication enabled in IIS for the site.