Home

Setting AIP Authentication Token For A Service Account (Classic Client)

%3CLINGO-SUB%20id%3D%22lingo-sub-992786%22%20slang%3D%22en-US%22%3ESetting%20AIP%20Authentication%20Token%20For%20A%20Service%20Account%20(Classic%20Client)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-992786%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20the%20AIP%20Classic%20Client%20to%20apply%20classification%20to%20documents.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20internal%20solution%20for%20gathering%20files%20to%20apply%20classification%20to%20and%20would%20like%20to%20automate%20the%20classification%20of%20these%20files.%3C%2FP%3E%3CP%3EA%20dev%20has%20created%20a%20PowerShell%20script%20that%20takes%20in%20a%20list%20of%20files%20and%20uses%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ESet-AIPFileLabel%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ecmdlet%20to%20classify%20all%20the%20files%20passed%20to%20the%20script.%20We%20want%20to%20move%20this%20system%20into%20production%20however%20have%20encountered%20a%20roadblock.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20production%20system%2C%20the%20service%20account%20we%20want%20to%20use%20does%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Enot%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ehave%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Elog%20on%20locally%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Epermissions.%20It%20is%20a%20service%20account%20and%20has%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Elog%20on%20as%20batch%20rights%3C%2FSTRONG%3E.%20We%20just%20want%20to%20run%20the%20script%20on%20a%20windows%20task%20once%20every%20arbitrary%20amount%20of%20time.%3C%2FP%3E%3CP%3EBefore%20you%20can%20use%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ESet-AIPFileLabel%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ecmdlet%2C%20you%20must%20first%20set%20the%20aip%20token%20with%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ESet-AIPAuthentication%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ecmdlet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20cmdlet%20is%20interactive%2C%20when%20an%20account%20can%20log%20into%20the%20machine%2C%20it%20can%20run%20this%20cmdlet%20with%20ease%20(obviously%20supplying%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%24WebAppId%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%24WebAppKey%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%24NativeAppId%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Evalues).%3C%2FP%3E%3CP%3EObviously%20this%20interaction%20is%20interactive%2C%20I%20went%20digging%20the%20Microsoft%20docs%20and%20found%20the%20following%20pages%20(about%20the%20scanner%2C%20but%20hoping%20the%20principles%20transfer)%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fdeploy-aip-scanner%23deploying-the-scanner-with-alternative-configurations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDeploy%20the%20scanner%20with%20alternative%20configurations%3C%2FA%3E.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fdeploy-aip-scanner%23restriction-the-service-account-for-the-scanner-cannot-be-granted-the-log-on-locally-right%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERestriction%3A%20The%20service%20account%20for%20the%20scanner%20cannot%20be%20granted%20the%20Log%20on%20locally%20right%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Frms-client%2Fclient-admin-guide-powershell%23specify-and-use-the-token-parameter-for-set-aipauthentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESpecify%20and%20use%20the%20Token%20parameter%20for%20Set-AIPAuthentication%3C%2FA%3E%3C%2FP%3E%3CP%3EThese%20instructions%20boil%20down%20to%3A%3C%2FP%3E%3CUL%3E%3CLI%3ECreate%20a%20script%20that%20runs%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3ESet-AIPAuthentication%3C%2FLI%3E%3CLI%3ERun%20the%20script%20to%20generate%20a%20token%3C%2FLI%3E%3CLI%3ECopy%20that%20token%20back%20into%20the%20script%20(script%20would%20look%20like%20this)%3A%3C%2FLI%3E%3C%2FUL%3E%3CPRE%3E%20%20%20%20%24AIPToken%20%3D%20%22%22%0A%20%20%20%20%24WebAppId%20%3D%20%22%22%0A%20%20%20%20%24WebAppKey%20%3D%20%22%22%0A%20%20%20%20%24NativeAppId%20%3D%20%22%22%0A%0A%20%20%20%20Set-AIPAuthentication%20-WebAppId%20%24WebAppId%20-WebAppKey%20%24WebAppKey%20-NativeAppId%20%24NativeAppId%20-Token%20%24AIPToken%3C%2FPRE%3E%3CUL%3E%3CLI%3ECopy%20that%20script%20to%20the%20server%20you%20want%20to%20set%20auth%20for%3C%2FLI%3E%3CLI%3ECreate%20a%20windows%20task%20to%20call%20the%20script%2C%20make%20the%20service%20account%20run%20the%20script%3C%2FLI%3E%3CLI%3ERun%20the%20script%2C%20check%20the%20service%20account%20has%20a%20token%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhen%20i%20run%20the%20script%2C%20no%20script%20is%20created%20but%20a%20log%20file%20is%20generated.%20Inside%20is%20the%20following%20error%3A%3C%2FP%3E%3CP%3EOne%20of%20two%20conditions%20was%20encountered%3A%201.%20The%20PromptBehavior.Never%20flag%20was%20passed%2C%20but%20the%20constraint%20could%20not%20be%20honored%2C%20because%20user%20interaction%20was%20required.%202.%20An%20error%20occurred%20during%20a%20silent%20web%20authentication%20that%20prevented%20the%20http%20authentication%20flow%20from%20completing%20in%20a%20short%20enough%20time%20frame%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20passed%20the%20token%20and%20followed%20the%20microsoft%20documentation%20however%20it%20fails%20to%20set%20the%20token%20by%20what%20looks%20to%20me%20like%20an%20error%20in%20logic%20in%20the%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20AIP%20Unified%20Labelling%20Client%20can%20set%20auth%20tokens%20on%20behalf%20of%20users%2C%20this%20issue%20affects%20only%20the%20classic%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERepost%20from%20%3CA%20href%3D%22https%3A%2F%2Fserverfault.com%2Fquestions%2F990980%2Fsetting-aip-authentication-token-for-a-service-account-classic-client%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EServer%20Fault%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-992786%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
alexduffellprotirus
Frequent Visitor

We are using the AIP Classic Client to apply classification to documents.

 

We have an internal solution for gathering files to apply classification to and would like to automate the classification of these files.

A dev has created a PowerShell script that takes in a list of files and uses the Set-AIPFileLabel cmdlet to classify all the files passed to the script. We want to move this system into production however have encountered a roadblock.

 

In our production system, the service account we want to use does not have log on locally permissions. It is a service account and has log on as batch rights. We just want to run the script on a windows task once every arbitrary amount of time.

Before you can use the Set-AIPFileLabel cmdlet, you must first set the aip token with the Set-AIPAuthentication cmdlet.

 

This cmdlet is interactive, when an account can log into the machine, it can run this cmdlet with ease (obviously supplying the $WebAppId, $WebAppKey, $NativeAppId values).

Obviously this interaction is interactive, I went digging the Microsoft docs and found the following pages (about the scanner, but hoping the principles transfer):

Deploy the scanner with alternative configurations.

Restriction: The service account for the scanner cannot be granted the Log on locally right

Specify and use the Token parameter for Set-AIPAuthentication

These instructions boil down to:

  • Create a script that runs Set-AIPAuthentication
  • Run the script to generate a token
  • Copy that token back into the script (script would look like this):
    $AIPToken = ""
    $WebAppId = ""
    $WebAppKey = ""
    $NativeAppId = ""

    Set-AIPAuthentication -WebAppId $WebAppId -WebAppKey $WebAppKey -NativeAppId $NativeAppId -Token $AIPToken
  • Copy that script to the server you want to set auth for
  • Create a windows task to call the script, make the service account run the script
  • Run the script, check the service account has a token

When i run the script, no script is created but a log file is generated. Inside is the following error:

One of two conditions was encountered: 1. The PromptBehavior.Never flag was passed, but the constraint could not be honored, because user interaction was required. 2. An error occurred during a silent web authentication that prevented the http authentication flow from completing in a short enough time frame

 

I have passed the token and followed the microsoft documentation however it fails to set the token by what looks to me like an error in logic in the application.

 

The AIP Unified Labelling Client can set auth tokens on behalf of users, this issue affects only the classic client.

 

Repost from Server Fault.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies