Delegate can read your AD RMS protected messages by using Outlook Web App in an Exchange Server 2010 environment

Applies to: Exchange Server 2010 Service Pack 3Exchange Server 2010 EnterpriseExchange Server 2010 Standard


Assume that you assign full access permissions to a delegate in a Microsoft Exchange Server 2010 environment. The delegate logs on to your mailbox by using Microsoft Outlook Web App. In this situation, the delegate can access your Active Directory Rights Management Services (AD RMS) protected messages unexpectedly.


This issue occurs because Outlook Web App lets a delegate view an RMS protected message from a mailbox if the logged-on delegate has full permissions on that mailbox.

Note Delegates cannot view an RMS protected message in Outlook.


To resolve this issue, install the following update rollup:
2891587 Description of Update Rollup 3 for Exchange Server 2010 Service Pack 3


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about how to enable explicit sign-in in Outlook Web App, go to the following Microsoft website:For more information about AD RMS, go to the following Microsoft website: