Forum Discussion
zwethuko
Jun 22, 2021Copper Contributor
AIP Scanner - Unable to authenticate and setup Microsoft Azure Information Protection
Hi All,
I'm getting stuck in below issues to test AIP Scanner.
Error
Set-AIPAuthentication :
As I worked through below the steps I had faced the following issue and cannot move forward.
or
https://alberthoitingh.com/2020/07/21/azure-information-protection-scanner-2/
I have done these steps
- Install Win Server 2019 & SQL Express on VM Workstation.
- Install AIP Client
- Install AIP Client on PowerShell and it's running in services.msc
Install-AIPScanner -SqlServerInstance AIPSCANNER\SQLEXPRESS -Profile Cluster1
- Create AD on premise (GG.COM) and installed AD Connect (Express Setting) to Azure AD (testing.onmicrosoft.com)
- Create User on premise (aipscanner) role (Administrator) and sync to Azure AD (aipscanner@testing.onmicrosoft.com) and assigned E5 license.
- Login with GG\aipscanner on Win Server 2019.
- Get APPID, App Secret, Tenant ID from Azure Portal
- I tried to get the token run below the command but no ok.
$pscreds = Get-Credential "testingtenant101.onmicrosoft.com\aipscanner"
Set-AIPAuthentication
-AppId "bac7ce5e-7a0b-40da-bb89-888888888"
-AppSecret "6192e5b8-afb0-49bc-9a0e-888888888"
-TenantId "623c0945-6ee5-42a1-8894-888888888"
-DelegatedUser aipscanner@testing.onmicrosoft.com -OnBehalfOf $pscreds
I think something wrong in authentication on-premise to azure (-DelegatedUser). Please kindly help me to move forward.
- emetowinnerCopper ContributorWhat has worked for me was to delete all the existing DWORD registry records and enter a new registry key following this https://learn.microsoft.com/en-us/azure/information-protection/known-issues#known-issues-aip-scanner-authentication-in-version-21673.
Then I restarted the AIP Scanner Service.
NB: This only worked for "interactive mode" as I'm yet to get it to work for "non-interactive authentication"- GaryBonifaceMS
Microsoft
PS: With latest Information Protection Scanner (aka AIP Scanner) the registry force to ADAL authentication is no longer required (auth issue resolved)
- JXG2300Copper ContributorWere you able to resolve the issue? Any information that you can provide?
- andrevrodriguesCopper ContributorHi,
Yes, try this:
Create the bellow registry , restart the service and check if the authentication is successful this time.
Add the following reg key and put the value of 1 to swap using ADAL authentication, then restart AIP service and run authentication again.
Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP
key: AuthenticateUsingAdal
value (DWORD):
1 - ADAL
0 – MSAL- JXG2300Copper ContributorEntered the registry key forcing ADAL authentication and it did not work immediately. Tried switching the registry entry to MSAL and it failed again. Switched back to ADAL and it failed. The scrip was ran the next day and it worked fine. Not sure if that was your experience, but it did end up working. Thank you!
- Victor_LeaCopper ContributorI got the same in a heavily locked down environment. Process of elimination lead me to
https://learn.microsoft.com/en-us/powershell/module/azureinformationprotection/Start-AIPScannerDiagnostics?view=azureipps
As mentioned previously by PeterForster this revealed a connection issue to a https://login.windows.net. We entered the URL into a browser and it was failing due to certificate mismatch via a proxy. Once the root certification authority that generated the certificate was resolved the process completed successfully.- andrevrodriguesCopper ContributorHi,
I'm currently stuck with the same error "Unable to authenticate and setup Microsoft Azure Information Protection".
I have a service account, synced with AAD, all permissions granted in server machine and so on.
I'm executing the command using the -OnBehalfOf.
When i run the "Start-AIPScannerConfiguration" i get success with the connectivity to "*login.windows.net*", "*protection.outlook.com*", "*aadrm.com", connection to database also successfully but then is prompted the error message: "TokenCache is missing for ..." which suggests to run the "Set-AIPAuthentication".
I also verified the requirements regarding Network connectivity (https://learn.microsoft.com/en-us/microsoft-365/compliance/deploy-scanner-prereqs?view=o365-worldwide#windows-server-requirements), but without success so far.
Any suggestions on how to resolve?
Thanks.- mykhanCopper Contributor
Hi, how are you? andrevrodrigues
Were you able to resolve this? I have the same issue:
This is the error message I'm getting:PS C:\Users\*****> Start-AIPScannerDiagnostics
Scanner information:
SQL server: *******.
Cluster: *******.
Scanner user: *******
Connectivity check for: https://login.windows.net/common completed successfully
Connectivity check for: https://dataservice.protection.outlook.com completed successfully
Connectivity check for: https://api.aadrm.com/ completed successfully
Invalid database schema or cannot access the scanner DB. To update the database schema, run Update-AIPScanner. Make sure all nodes run the same AIP client version.
SQL error: Message The database owner SID recorded in the master database differs from the database owner SID recorded in database ‘*******'. You should correct this situation by resetting the owner of database *********' using the ALTER AUTHORIZATION statement.
TokenCache is missing for ***\****. Scanner authentication failed or was reset. Run Set-AIPAuthentication (using OnBehalfOf Parameter if needed) to acquire the authentication token. Learn more at: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipauthentication?view=azureipps
- Millsaps_MajorsCopper ContributorEver get this working? Got the same issue. Thank you
- Stefan NordbergCopper Contributor
Try with the Onpremise account for the OnBehalfOf.
$pscreds = Get-Credential "<local domain>\aipscanner"
- PeterForsterIron ContributorHi,
please make sure that you have connectivity to the AIP Service = Internet access. The error could be caused by that.