Tip
-->
Microsoft Office 16.0 Licensing!ctxlocalappdata! Microsoft Office 15.0 Licensing; If the above steps did not resolve the issue, please contact Microsoft support for additional assistance on Microsoft 365 App (O365) activation process. Review the following Microsoft site for additional information. Solution 2 - ADFS (SSO) is. Navigate to HKEYCURRENTUSER Software Microsoft Office 16.0 Outlook AutoDiscover; Add a new DWORD entry. Enter the name of ExcludeExplicitO365Endpoint and value of 1. Note: To perform the steps above automatically download and run the AutodiscoverFix.reg file. Restart your computer. Recreate your Outlook profile. Open Outlook.
The information in this article is intended for administrators and IT Pros. For information about activating a personal copy of Office, see Activate Office.
Shared computer activation lets you deploy Microsoft 365 Apps to a computer in your organization that is accessed by multiple users. Here are some examples of supported scenarios:
Shared computer activation is required for scenarios where multiple users share the same computer and the users are logging in with their own account. Normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs. Using Microsoft 365 Apps with shared computer activation enabled doesn't count against that limit. If your users have dedicated computers and no other users work on those computers, you use product key activation for Microsoft 365 Apps.
How to enable shared computer activation for Microsoft 365 Apps
To use shared computer activation, you need an Office 365 (or Microsoft 365) plan that includes Microsoft 365 Apps and also supports shared computer activation. Shared computer activation is available for the following:
Note
Make sure you assign each user a license for Microsoft 365 Apps and that users log on to the shared computer with their own user account.
If you want to enable shared computer activation during the initial installation of Microsoft 365 Apps, you can instruct the Office Deployment Tool to do so during installation.
If Microsoft 365 Apps is already installed and you want to enable shared computer activation, there are three options to choose from. A re-installation is not required. The device must be rebooted in order to apply the change.
After Microsoft 365 Apps is installed, you can verify that shared computer activation is enabled on that computer.
How shared computer activation works for Microsoft 365 Apps
Here's what happens after Microsoft 365 Apps is installed on a computer that has shared computer activation enabled.
These steps are repeated for each user who logs on to the shared computer. Each user gets a unique licensing token. Just because one user activates Microsoft 365 Apps on the computer doesn't mean Microsoft 365 Apps is activated for all other users who log on to the computer.
If a user goes to another computer that also is enabled for shared computer activation, the same steps occur. There is a different licensing token for each computer that the user logs on to.
If a user logs on to a shared computer again, Microsoft 365 Apps uses the same licensing token, if it is still valid.
Additional details about shared computer activation for Microsoft 365 Apps
Licensing token renewal The licensing token that is stored on the shared computer is valid only for 30 days. As the expiration date for the licensing token nears, Microsoft 365 Apps automatically attempts to renew the licensing token when the user is logged on to the computer and using Microsoft 365 Apps.
If the user doesn't log on to the shared computer for 30 days, the licensing token can expire. The next time that the user tries to use Microsoft 365 Apps, Microsoft 365 Apps contacts the Office Licensing Service on the internet to get a new licensing token.
Internet connectivity Because the shared computer has to contact the Office Licensing Service on the internet to obtain or renew a licensing token, reliable connectivity between the shared computer and the internet is necessary.
Reduced functionality mode If the user is not licensed for Microsoft 365 Apps, or if the user closed the Activate Office dialog box, no licensing token is obtained and Microsoft 365 Apps isn't activated. Microsoft 365 Apps is now in reduced functionality mode. This means that the user can view and print Office documents, but can't create or edit documents. The user also sees a message in the Office program that most features are turned off.
Activation limits Normally, users can install and activate Microsoft 365 Apps only on a limited number of devices, such as 5 PCs. Using Microsoft 365 Apps with shared computer activation enabled doesn't count against that limit.
Microsoft allows a single user to activate Microsoft 365 Apps on a reasonable number of shared computers in a given time period. The user gets an error message in the unlikely event the limit is exceeded.
Single sign-on recommended The use of single sign-on (SSO) is recommended to reduce how often users are prompted to sign in for activation. With single sign-on configured, Microsoft 365 Apps is activated using the user credentials that the user provides to sign in to Windows, as long as the user has been assigned a license for Microsoft 365 Apps. For more information, see Microsoft 365 identity models and Azure Active Directory.
If you don't use single sign-on, you should consider using roaming profiles and include the %localappdata%MicrosoftOffice16.0Licensing folder as part of the roaming profile.
Licensing token roaming Starting with Version 1704 of Microsoft 365 Apps, you can configure the licensing token to roam with the user's profile or be located on a shared folder on the network. Previously, the licensing token was always saved to a specific folder on the local computer and was associated with that specific computer. In those cases, if the user signed in to a different computer, the user would be prompted to activate Microsoft 365 Apps on that computer in order to get a new licensing token. The ability to roam the licensing token is especially helpful for non-persistent VDI scenarios.
To configure licensing token roaming, you can use either the Office Deployment Tool or Group Policy, or you can use Registry Editor to edit the registry. Whichever method you choose, you need to provide a folder location that is unique to the user. The folder location can either be part of the user's roaming profile or a shared folder on the network. Microsoft 365 Apps needs to be able to write to that folder location. If you're using a shared folder on the network, be aware that network latency problems can adversely impact the time it takes to open Office programs. The location is only needed if you prefer to not use the default location, which is %localappdata%MicrosoftOffice16.0Licensing.
Related articles-->
Note
Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information about this change, read this blog post.
Important
This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
Problem
A federated user is repeatedly prompted for credentials when the user tries to authenticate to the Active Directory Federation Services (AD FS) service endpoint during sign-in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune. When the user cancels, the user receives the Access Denied error message.
Cause
The symptom indicates an issue with Windows Integrated authentication with AD FS. This issue can occur if one or more of the following conditions are true:
Before you start troubleshooting
Check that the user name and password are not the cause of the issue.
Verify the cause
To check that Kerberos problems are causing the issue, temporarily bypass Kerberos authentication by enabling forms-based authentication on the AD FS federation server farm. To do this, follow these steps:
Step 1: Edit the web.config file on each server in the AD FS federation server farm
Step 2: Test AD FS functionality
Solution
To resolve the Kerberos issue that limits AD FS authentication, use one or more of the following methods, as appropriate for the situation.
Resolution 1: Reset AD FS authentication settings to the default values
If AD FS IIS authentication settings are incorrect, or IIS authentication settings for AD FS Federation Services and Proxy Services don't match, one solution is to reset all IIS authentication settings to the default AD FS settings.
The default authentication settings are listed in the following table.
On each AD FS federation server and on each AD FS federation server proxy, use the information in the following Microsoft TechNet article to reset the AD FS IIS virtual applications to the default authentication settings:
For more information about how to resolve this error, see the following Microsoft Knowledge Base articles:
Resolution 2: Correct the AD FS federation server farm SPN
Note
Try this resolution only when AD FS is implemented as a federation server farm. Do not try this resolution in an AD FS stand-alone configuration.
To resolve the issue if the SPN for the AD FS service is lost or corrupted on the AD FS service account, follow these steps on one server in the AD FS federation server farm:
Resolution 3: Resolve Extended Protection for Authentication concerns
To resolve the issue if Extended Protection for Authentication prevents successful authentication, use one of the following recommended methods:
Free Microsoft 365 Activation Key
If you can't use any of these methods, to work around this issue, Extended Protection for Authentication can be disabled for passive and active clients.
Workaround: Disable Extended Protection for Authentication
Warning
We do not recommend that you use this procedure as a long-term solution. Disabling Extended Protection for Authentication weakens the AD FS service security profile by not detecting certain man-in-the-middle attacks on Integrated Windows Authentication endpoints.
Note
When this workaround is applied for third-party application functionality, you should also uninstall hotfixes on the client operating system for Extended Protection for Authentication.
For passive clients
To disable Extended Protection for Authentication for passive clients, perform the following procedure for the following IIS virtual applications on all servers in the AD FS federation server farm:
To do this, follow these steps:
For active clients
To disable Extended Protection for Authentication for active clients, perform the following procedure on the primary AD FS server:
Re-enable Extended Protection for AuthenticationFor passive clients
To re-enable Extended Protection for Authentication for passive clients, perform the following procedure for the following IIS virtual applications on all servers in the AD FS federation server farm:
To do this, follow these steps:
For active clients
To re-enable Extended Protection for Authentication for active clients, perform the following procedure on the primary AD FS server:
Resolution 4: Replace CNAME records with A records for AD FS
Use DNS management tools to replace each DNS Alias (CNAME) record that's used for the federation service with a DNS address (A) record. Also, check or consider corporate DNS settings when a split-brain DNS configuration is implemented. For more information about how to manage DNS records, seeManaging DNS Records.
Resolution 5: Set up Internet Explorer as an AD FS client for single sign-on (SSO)
For more information about how to set up Internet Explorer for AD FS access, see A federated user is prompted unexpectedly to enter work or school account credentials.
More information
To help protect a network, AD FS uses Extended Protection for Authentication. Extended Protection for Authentication can help prevent man-in-the-middle attacks in which an attacker intercepts a client's credentials and forwards them to a server. Protection against such attacks is made possible by using Channel Binding Works (CBT). CBT can be required, allowed, or not required by the server when communications are established with clients.
The ExtendedProtectionTokenCheck AD FS setting specifies the level of extended protection for authentication that's supported by the federation server. These are the available values for this setting:
The following tables describe how authentication operates for three operating systems and browsers, depending on the different Extended Protection options that are available on AD FS with IIS.
Note
Office 365 Keeps Asking For Activation Download
Windows client operating systems must have specific updates that are installed to effectively use Extended Protection features. By default, the features are enabled in AD FS.
By default, Windows 7 includes the appropriate binaries to use Extended Protection.
Windows 7 (or appropriately updated versions of Windows Vista or of Windows XP)
Windows Vista without appropriate updates
Windows XP without appropriate updates
For more information about Extended Protection for Authentication, see the following Microsoft resource:
For more information about the Set-ADFSProperties cmdlet, go to the following Microsoft website:
Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |