Accessing RMS protected mails when you have 2 Profiles in Outlook (for Different mailboxes)
A Typical Situation in case of Public Sector organization is that the top management personnel has 2 mailboxes and AD accounts i.e. One AD account and mailbox is as end-user and other account is for the role the person is in.
For example – if Amol is Asst. GM in a organization, then there could be 2 accounts for Amol to work on -
- one is Amol AD account and mailbox…for Amol as an individual.
- Second is AGM AD account and mailbox….for AGM role/position. This account would be provided to next person would comes on this role when I get transfer or promoted to different position.
Usually, AGM account would be used by secretaries for scheduling and filtering the information and passing on to their respective superiors. Where the Amol account would be used by Amol without any delegation…
In order to cut down the requirement to log off and log on to access different mailboxes, IT usually configures Outlook profiles for both mailboxes and select prompt option so that the user is prompt which mailbox to use when opening outlook. This allows the high post individuals to swap between mailboxes without having to log-off and log-on to AD with different accounts.
RMS issues
The above scenario does not work seamlessly for RMS. As RMS uses AD credentials when CLC and EUL are created based on who the user is logged on as.
That is, when I logon as AMOL to the desktop using domain authentication, and open Outlook using AMOL profile (personal mailbox), I would be able to open the mails which are RMS protected easily as CLC and EUL would be downloaded for AD account AMOL.
When I switch the mailbox to AGM…and try to open the RMS protected mail, I would not be able to open the message and would encounter “unexpected error”. This would not be work as CLC/EUL would be still in AMOL’s name and the mail would not have assigned access to AMOL rather would have assigned access to AGM account based on role.
This means the user would have to log off from AMOL’s account and logon to AGM account and then access the RMS protected mail. This would not be an acceptable solution from the end-user perspective.
The challenge is how do we enable the user to access the RMS protected mails when they switch from one profile to another.
Solution
- Since the user is logs on with one AD account and needs to access mails that are intended for another AD user, it is important that the user be prompted for authentication again. So that the appropriate credentials be put in.
- So, in the Internet Explorer => Options => Security Tab, remove RMS URL from the Intranet or Trusted Zone. This would enable RMS to prompt users for credentials.
- When the user authenticates to RMS, the CLC and EUL is generated. If user swaps the Outlook profile and tries to access RMS protected mail for another AD account, the CLC and EUL would be checked and credentials would clash with them. Hence there would be error opening the mail.
- So we need to clear the DRM folder.
- Create a batch file with following command =>
del %userprofile%\AppData\Local\Microsoft\DRM\* /F /Q
echo “cache cleared….you are set to go”
- User needs to be run this batch file so that all the certificates are cleared. When user opens personal mailbox and tries to access RMS protected mail – he/she would be prompted for AD credentials. He/She needs to enter their individual AD account.
- When the user swaps the Outlook profile to position based mailbox, they need to run the batch file again.
The solution works well…only additional step of running the batch file is involved when swapping between Outlook profile.