Skip to main content
Mitratech Success Center

Client Support Center

Need help? Click a product group below to select your application and get access to knowledge articles, webinars, training content, and release notes or to contact our support team.

Authorized users - log in to create a ticket, view tickets status and check your success plan details.

 

MS Office Trust Center Settings

Issue

When PolicyHub has been implemented using single sign-on for user authentication, users might see the following message when trying to open Word documents from the PolicyHub system:

clipboard_e1bb437383f2e44c5a66f5192a920281a.png

The reason for the message is because Word is detecting the PolicyHub authentication as Forms-Based authentication, which is partially true, but not completely accurate.

PolicyHub uses WebDav to handle Word interaction.  As Word doesn’t support SSO authentication for WebDav endpoints, PolicyHub uses a protocol called MS-OFBA, which is what Word uses for Forms-Based authentication:

https://docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-ofba/30c7bbe9-b284-421f-b866-4e7ed4866027

Resolution

To stop this message from appearing, the PolicyHub URL needs to be white listed in the Form-based Sign-in section of the Trust Center.

If allowed, end users can unblock themselves by changing a security setting in Trust Center.

  • They can do so proactively by going to File > Options > Trust Center > Trust Center Settings > Form-based sign-in, or
  • They can wait until they have been prompted to open Trust Center via the warning dialog.

In the Trust Center > Form-based Sign-in panel, end-users should:

  • Change “Block all sign-in prompts” to “Ask me what to do for each host”
  • Select “Save” in the lower right corner of the window.

The list of safe hosts will be auto-populated based on future end-user actions.

After a user makes this change in Trust Center, Office will not block future sign-in prompts. Instead, it will show a dialog similar to this:

If an end-user clicks Yes at this step, two things happen:

  • Office will show the sign-in prompt immediately.
  • In the future, Office will provide sign-in prompts for this allowed host, which will be added to the list of “Hosts allowed to show sign-in prompts” in Trust Center > Form-based Sign-in.

For SSO scenarios, we don’t actually use Forms-Based authentication, we use the browser control (that would normally be used to show a login dialog) to process the SSO handshake. The authentication is still offloaded to the IdP in the usual way and then we let them through if it’s successful.

If you know, as an administrator, that your users should or should not be accessing content such as this, you can manage their access with a group policy:

  • Add a list of trusted locations by using a group policy. In this case, your users will be able to open documents from these locations without the warning.

  • Was this article helpful?